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Abstract 

We build a Kleene realizability semantics for the two-level Minimalist Foundation MF, 
ideated by Maietti and Sambin in 2005 and completed by Maietti in 2009. Thanks to this 
semantics we prove that both levels of MF are consistent with the (Extended) formal Church 
Thesis CT. 

Since MF consists of two levels, an intensional one, called mTT, and an extensional one, 
called emTT, linked by an interpretation, it is enough to build a realizability semantics for the 
intensional level mTT to get one for the extensional one emTT, too. Moreover, both levels 
consists of type theories based on versions of Martin-Lof’s type theory. 

Our realizability semantics for mTT is a modification of the realizability semantics by Beeson 
in 1985 for extensional first order Martin-Lof’s type theory with one universe. So it is formal¬ 
ized in Feferman’s classical arithmetic theory of inductive definitions, called IDi. It is called 
extensional Kleene realizability semantics since it validates extensional equality of type-theoretic 
functions extFun, as in Beeson’s one. 

The main modification we perform on Beeson’s semantics is to interpret propositions, which 
are defined primitively in MF, in a proof-irrelevant way. As a consequence, we gain the validity 
of CT. Recalling that extFun-(- CT-f AC are inconsistent over arithmetics with finite types, 
we conclude that our semantics does not validate the Axiom of Choice AC on generic types. 
On the contrary, Beeson’s semantics does validate AC, being this a theorem of Martin-Lof’s 
theory, but it does not validate CT. The semantics we present here appears to be the best 
Kleene realizability semantics for the extensional level emTT. Indeed Beeson’s semantics is not 
an option for emTT since AC on generic sets added to it entails the excluded middle. 


1 Introduction 

A foundation for mathematics should be called constructive only if the mathematics arising from it 
could be considered genuinely computable. One way to show this is to produce a realizability model 
of the foundation where arbitrary sets are interpreted as data types and functions between them are 
interpreted as programs. A key example is Kleene’s realizability model for first-order Intuitionist 
Arithmetics validating the formal Church Thesis. 

Here we will show how to build a realizability model for the Minimalist Foundation, for short 
MF, ideated by Maietti and Sambin in m and then completed by Maietti in m, where it is 
explicit how to extract programs from its proofs. In particular we show that MF is consistent with 
the (Extended) Church Thesis, for short CT. This result is part of a project to know to what extent 
MF enjoys the same properties as Heyting arithmetics. 

The Minimalist Foundation is intended to constitute a common core among the most relevant 
constructive and classical foundations. One of its novelties is that it consists of two levels: an 
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intensional level, called mTT, which should make evident the constructive contents of mathematical 
proofs in terms of programs, and an extensional level, called emTT, formulated in a language close 
as much as possible to that of ordinary mathematics. Both intensional and extensional levels of 
MF consist of type systems based on versions of Martin-Lof’s type theory with the addition of a 
primitive notion of propositions: the intensional one is based on |18] and the extensional one on m- 
Actually mTT can be considered a predicative version of Coquand’s Calculus of Constructions [1] . 

To build a realizability model for the two-level Minimalist Foundation, it is enough to build it 
for its intensional level mTT. Indeed an interpretation for the extensional level emTT can be then 
obtained from an interpretation of mTT by composing this with the interpretation of emTT in a 
suitable setoid model of mTT as in [10] and analyzed in [12]. Moreover, since the interpretation of 
CT from the extensional level to the intensional one is equivalent to CT itself according to [1^, a 
model showing consistency of mTT with CT can be turned into a model showing consistency of 
emTT with CT. 

Here, we build a realizability model for mTT+ CT by suitably modifying Beeson’s realizability 
semantics [5] for the extensional version of first order Martin-Lof’s type theory with one universe m 
So, as Beeson’s semantics our model is based on Kleene realizability semantics of intuitionistic 
arithmetics and it is formalized in Feferman’s classical arithmetic theory of inductive definitions, 
called IDi (0). The theory IDi is formulated in the language of second-order arithmetics and it 
consists of PA (Peano Arithmetic) plus the existence of some (not necessary the least) fix point for 
positive parameter-free arithmetical operators. 

We call our Kleene realizability semantics extensional since it validates extensional equality of 
type-theoretic functions extFun, as Beeson’s one. 

The main modification we perform to Beeson’s semantics is to interpret propositions, which 
are defined primitively in MF, in a proof-irrelevant way. More in detail we interpret mTT-sets 
as Beeson interpreted Martin-Lof’s sets, propositions are interpreted as trivial quotients of Kleene 
realizability interpretation of intuitionistic connectives, and the universe of mTT-small propositions 
is interpreted as a suitable quotient of some fix point including all the codes of small propositions 
by using the technique Beeson adopted to interpret Martin-Lof’s universe. 

As a consequence in our model we gain the validity of CT but we loose the validity of the full 
Axiom of Choice AC. Instead in Beeson’s semantics, AC is valid, being this a theorem of Martin- 
Lof’s theory, but CT is not. All these results follow from the well known fact that extFun-|- CT-P 
AC over arithmetics with finite types are inconsistent. Therefore in the presence of extFun as in 
our emTT, either one validates CT as we do here, or AC as in Beeson’s semantics. Recalling that 
the addition of AC on generic sets in emTT entails the excluded middle, Beeson’s semantics is 
not an option for emTT. Therefore the semantics we present here appears to be the best Kleene 
realizability semantics for the extensional level emTT. 

Actually a consistency proof for emTT with CT could also be obtained by interpreting this 
theory in the internal theory of Hyland’s effective topos [5]. But here we have obtained a proof in 
a predicative theory, whilst classical, as IDi. As a future work we intend to generalize the notion of 
effective topos to that of a predicative effective topos in order to extract the categorical structure 
behind our realizability interpretation. 


2 The Minimalist Foundation 

In [TU] a two-level formal system, called Minimalist Foundation, for short MF, is completed 
following the design advocated in M- The two levels of MF are both given by a type theory a 
la Martin-Lof: the intensional level, called mTT, is an intensional type theory including aspects 
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of Martin-Lof’s one in [T5] (and extending the set-theoretic version in [Tl] with collections), and 
its extensional level, called emTT, is an extensional type theory including aspects of extensional 
Martin-Lof’s one in m- Then a quotient model of setoids a la Bishop [iiziiiiiin] over the intensional 
level is used in m to interpret the extensional level in the intensional one. A categorical study of 
this quotient model has been carried on in [Hinilla] and related to the construction of Hyland’s 
effective topos [HIS]. 

MF was ideated in m to be constructive and minimalist, that is compatible with (or inter¬ 
pretable in) most relevant constructive and classical foundations for mathematics in the literature. 
According to these desiderata, MF has the following peculiar features (for a more extensive descrip¬ 
tion see also [l5]l: 

• MF has t-wo types of entities: sets and collections. This is a consequence of the fact 
that a minimalist foundation compatible with most of constructive theories in the literature, 
among which, for example, Martin-Lof’s one in [18) . should be certainly predicative and based 
on intuitionistic predicate logic, including at least the axioms of Heyting arithmetic. For 
instance it could be a many-sorted logic, such as Heyting arithmetic of finite types [21) . where 
sorts, that we call types, include the basic sets we need to represent our mathematical entities. 
But in order to represent topology in an intuitionistic and predicative way, then MF needs 
to be equipped with two kinds of entities: sets and collections. Indeed, the power of a non¬ 
empty set, namely the discrete topology over a non-empty set, fails to be a set in a predicative 
foundation, and it is only a collection. 

• MF has two types of propositions. This is a consequence of the previous characteristic. 
Indeed the presence of sets and collections, where the latter include the representation of power- 
collections of subsets, yields to distinguish two types of propositions to remain predicative: 
those closed under quantifications on sets, called small propositions in [10) . from those closed 
under any kind of quantification, called propositions in m- This distinction is crucial in the 
definition of “subset of a set” we adopt in MF: a subset of a set A is indeed an equivalence 
class of small propositional functions from A. 

• MF has two types of functions. As in Coquand’s Calculus of Constructions [1], or Fe- 
ferman’s predicative theories [3, in MF we distinguish the notion of functional relation from 
that of type-theoretic function. In particular in MF only type-theoretic functions between two 
sets form a set, while functional relations between two sets form generally a collection. 

This restriction is crucial to make MF compatible with classical predicative theories as Fefer- 
man’s predicative theories [S]. Indeed it is well-known that the addition of the principle of 
excluded middle can turn a predicative theory where functional relations between sets form 
a set, as Aczel’s CZF or Martin-Lbf’s type theory, into an impredicative one where power- 
collections become sets. 

2.1 The intensional level of the Minimalist Fonndation 

Here we describe the intensional level of the Minimalist Foundation in which is represented by 
a dependent type theory called mTT. This type theory is written in the style of Martin-Lof’s type 
theory [18) by means of the following four kinds of judgements: 

A type [r] A = B type [T] a G A [T] a = b G A [T] 

that is the type judgement (expressing that something is a specific type), the type equality judgement 
(expressing when two types are equal), the term judgement (expressing that something is a term of 
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a certain type) and the term equality judgement (expressing the definitional equality between terms 
of the same type), respectively, all under a context F. 

The word type is used as a meta-variable to indicate four kinds of entities: collections, sets, 
propositions and small propositions, namely 

type S {col, set,prop, props } 

Therefore, in mTT types are actually formed by using the following judgements: 

A set [r] D col [r] (j) prop [F] tp props [F] 

saying that A is a set, that D is a collection, that (() is a proposition and that ijj is a small proposition. 

Here, contrary to [10] where capital latin letters are used as meta-variables for all types, we 
use greek letters V') f meta-variables for propositions, we mostly use capital latin letters A, B as 
meta-variables for sets and capital latin letters C, D as meta-variables for collections. 

As in the intensional version of Martin-L6f’s type theory, in mTT there are two kinds of equality 
concerning terms: one is the definitional equality of terms of the same type given by the judgement 

a = b G A [F] 

which is decidable, and the other is the propositional equality written 

Id (A, a, b) prop [F] 


which is not necessarily decidable. 

We now proceed by briefly describing the various kinds of types in mTT, starting from small 
propositions and propositions and then passing to sets and finally collections. 

Small propositions in mTT include all the logical constructors of intuitionistic predicate logic 
with equality and quantifications restricted to sets: 

(p props = T| (pAip \(p\/ip I (p ^ Ip \ if/x G A) (p{x) \ {3x G A) (p{x) \ ld(A,a, 6) 
provided that A is a set. 

Then, propositions in mTT include all the logical constructors of intuitionistic predicate logic 
with equality and quantifications on all kinds of types, i.e. sets and collections. Of course, small 
propositions are also propositions. 

(p prop = (p props \ 4> Alp \ fV ip \ (p ^ ip \ (Va; G D) ip{x) \ (3a; G D) (p{x) \ ld(£), d, b) 


In order to close sets under comprehension, for example to include the set of positive natural 
numbers {a: G N | a: > 1}, and to define operations on such sets, we need to think of propositions 
as types of their proofs: small propositions are seen as sets of their proofs while generic propositions 
are seen as collections of their proofs. That is, we add to mTT the following rules 


props-into-set) 


(p props 
(p set 


prop-into-col) 


(p prop 
(p col 


Before explaining the difference between the notion of set and collection we describe their construct¬ 
ors in mTT. 

Sets in mTT are characterized as inductively generated types and they include the following: 
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A set = (j) props | A^o I -^i I I List{A) \ (Ex G A) B{x) \ A + B \ (IIx G A) B{x) 


where the notation Nq stands for the empty set, for the singleton set, N for the set of natural 
numbers, List{A) for the set of Lists on the set A, (Ex G A)B{x) for the indexed sum of the family 
of sets B{x) set [x G A] indexed on the set A, A + B for the disjoint sum of the set A with the set 
B, (IIx G A)B{x) for the product type of the family of sets B{x) set [x G A] indexed on the set A. 

It is worth noting that the set N of the natural numbers is not present in a primitive way in 
mTT since its rules can be derived by putting N = List{Ni). Here we add it to the syntax of 
mTT because it plays a prominent role in realizability and we want to interpret it directly in IDi 
to avoid complications due to list encodings. 

Finally, collections in mTT include the following types: 


D col = A set \ (j) prop \ props | H —)• props | {T,x € D) E{x) 
and all sets are collections thanks to the following rule: 

. A set 

set-mto-col) —:- 

A col 


where props stands for the collection of (codes for) small propositions and A props for the collection 
of propositional functions of the set H, while (Ex G D) E{x) stands for the indexed sum of the family 
of collections E{x) col [x G D] indexed on the collection D. 

Note that the collection of small propositions props is defined here with codes a la Tarski as in 
m. contrary to the version in cni, to make the interpretation easier to understand. Its rules are 
the following. 

Elements of the collection of small propositions are generated as follows: 


Pri) _L G props 

p G props 


Prs) 

Prs) 


q G props 


p^q G props 

A set a € A b £ A 
ld(T, a, b) G props 


Pra) 

Pr4) 

Pre) 

Prr) 


p G props q G props 
p9q G props 

p G props q € props 
p/\q G props 

p{x) props [x £ B] B set 
(3x G B)p{x) G props 
p[x) G props [x £ B] B set 


(Vx £ B)p(x) £ props 

Elements of the collection of small propositions can be decoded as small propositions via an 
operator as follows 


r-Pr) 

t(p) props 

and this operator satisfies the following definitional equalities: 
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eq-Pri) t(-L) = Lpropa 

p € props q € props 


eq-Pra) 

eq-Prs) 


TijP^q) = t{p) ->■ T(q)propa 

A set a £ A b £ A 
r( ld(A, a,b)) = IcI(j 4, a, b) props 


eq-Pr2) 

eq-Pr4) 

eq-Pre) 

eq-Prr) 


p £ props q £ props 
r{pVq) = r(p) V r{q)props 

p £ props q £ props 
T{pAq) = t{p) a T{q)props 

p{x) props [x G B] 


B set 


t{{3x £ B)p{x)) = (3a: G B)t{p{x)) props 
p{x) G props [a: G -B] B set 
r((Va: G B)p{x)) = (Vx G B)t{p{x)) props 


In the realizability interpretation of mTT we need to define a subset of natural numbers includ¬ 
ing codes of mTT-sets in order to define the subset of codes of small propositions closed under 
quantification on sets. The existence of such a subset of set codes says that the realizability inter¬ 
pretation is actually interpreting an extension of mTT with a collection of sets. In order to simplify 
the definition of the realizability interpretation, we interpret an extension of mTT, which we call 
mTT®, with the addition of the collection Set of set codes whose related rules are the following. We 
don’t give any elimination and conversion rule as those of universes a la Tarski in |18j since it would 
not be validated in the model (because we do not have least fix-points in IDi). 

Collection of sets 


F-Se) Set col 


Elements of the collection of sets are generated as follows: 


See) No G Set 


Scs) Ni G Set 


Se;) 


a £ Set 
List{a) £ Set 


Se„) 


a £ Set b £ Set 
a+b £ Set 


Ses) 


a{x) Set [x £ B] B set 
(T,x £ B)a{x) £ Set 


Sen) 


a{x) Set [x £ B] B set 
(Ila; G B)a{x) £ Set 


sp-i-p) 


p £ props 

p £ Set 


mTT can be viewed as a predicative version of the Calculus of Constructions [1], for short CoC. 
The main difference with respect to CoC is that mTT distinguishes between sets and collections in a 
way similar to the distinction between sets and classes in axiomatic set theory. However, all types of 
mTT, i.e. small propositions, propositions, sets and collections, are predicative entities in the sense 
that their elements can be generated in an inductive way by a finite number of rules. According 
to the notion of set in Bishop [3] and Martin-L6f [13], all mTT-types are actually sets, and in 
fact mTT-types can be interpreted as sets in the intensional version of Martin-L6f’s type theory in 
m- The mTT-distinction between sets and collections, and the corresponding distinction between 
small propositions and propositions, is motivated by the need of distinguishing between predicative 
entities whose notion of element is a closed concept, and these are called sets, and those entities 
whose notion of element is an open concept, and these are called collections. The motivating idea is 
that a set is inductively generated by a finite number of rules whose associated inductive principle 
does not vary when the theory mTT is extended with new entities (sets, collections or propositions). 
On the contrary a collection is inductively generated by a finite number of rules which may vary 
when the theory is extended with new entities. Typical examples of collections are universes (of sets 
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or propositions): if we extend the theory mTT with a new small proposition, then we need to add 
a new rule inserting this new small proposition in the collection of small propositions. 

We recall from m that the distinction between propositions and sets is crucial to avoid the 
validity of choice principles. 

Finally, it is worth noting that in mTT we restrict substitution term equality rules to explicit 
substitution term equality rules of the form 

c(xi,..., Xn') € ,..., Xn') [:r 1 € ; ■ • ■ ? ^ (:^i ; • ■ • ; ^n—l') ] 

^ ^ ai = hi £ Ai ... Qn = bn € An{ai, ..., a„_i) 

c(ai,..., a„) = c(6i,..., 6„) e C{ai,. .., a„) 

in place of usual term equality rules preserving term constructions typical of Martin-Lof’s type 
theory in m- This restriction, and in particular the absence of the so called ^-rule of lambda-terms 

^ c = c' G C [x G B] 

^ Xx^.c=Xx^.c' e {Ax G B)C 

seems to be crucial to prove consistency of mTT with AC-I-CT, as advocated in El, by means of 
a realizability semantics a la Kleene, but this is still an open problem (the realizability semantics 
given here does not help to solve this since it can not validate AC on all types). It is worth to recall 
from [To] that our restriction of term equality does not affect the possibility of adopting mTT as the 
intensional level of a two-level constructive foundation as intended in M- Indeed the term equality 
rules of mTT suffice to interpret an extensional level including extensional equality of functions, as 
that represented by emTT, by means of the quotient model described in uni and studied abstractly 
in [HIIIIIIS]. 


2.2 The extensional level of the Minimalist Foundation 


Here we briefly describe the extensional level emTT of the Minimalist Foundation. This is an exten¬ 
sional dependent type theory extending extensional Martin-Lof’s type theory in m with primitive 
(proof-irrelevant) propositions, power-collections and quotients. 

The rules of emTT are formulated by using the same kinds of judgements used for mTT. The 
main peculiar characteristics of emTT in comparison to mTT are the following. 

1. A primary difference between emTT and mTT is the usual difference between the so called 
intensional version of Martin-Ldf’s type theory [T5] and its extensional one in m and this is 
the fact that the definitional equality of terms 

a = b G A [F] 


is no longer decidable in emTT as it is in the intensional mTT. This is in turn due to the 
fact that the propositional equality of emTT as that of called Eq(A, a, 6), is extensional 
in the sense that the provability of Eq(A, a, 6) [F] in emTT is equivalent to the derivation of 
the judgement a = b G A [F]. Instead, in mTT only the derivation of the definitional equality 
judgement a = 6 S A [F] implies internally the provability of the intensional propositional 
equality ld(A, a, 6) [F] under a generic context. 


2. Another peculiar feature of emTT employs the distinction between propositions and sets: this 
is the addition of proof-irrelevance for propositions captured by the following rules 


prop-mono) 


(j) prop [F] p G (f) \r] q G (f) P] 
p = qG(j) [F] 


prop-true) 


4> prop P G (j) 
true G (j) 
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saying that a proof of a proposition is unique and equal to a canonical proof term called true. 
Of course, these rules can not be added to an extensional theory identifying propositions with 
sets as Martin-Lof’s one in because they would trivialize all constructors. Moreover, these 
rules are not present in the intensional level mTT because proof-irrelevance is a typical ex¬ 
tensional condition. Indeed, emTT-propositions can be thought of as quotients of intensional 
propositions under the trivial equivalence relation between proofs. 

3. Other key differences between the type theories mTT and emTT are the addition in emTT 
of quotient sets 

A/p set [r] 

provided that p is a small equivalence relation p props [x € A, y & A\ on the set A, and the 
addition of the power-collection of the singleton and of the power-collection of a generic set A 

V{1) A^V{1) 

4. A further difference between the type theories mTT and emTT concerns the equality rules 
between terms. Indeed in emTT equality rules between terms are the usual ones typical of 
an extensional type theory in m preserving all term constructors. In particular, equality of 
lambda-functions is extensional, namely it is possible to prove 

(Vx G A)Eq{B{x),f{x), g{x)) -G Eq( (Hx e A)B(a:), Xx.f{x) , Xx.g{x)) 

This proposition is not necessarily provable at the intensional level mTT when substituting 
the extensional propositional equality Eq(A, a, b) with the intensional one ld(A, a, b). 

We end by recalling from |10j that a model for mTT can be turned into a model for emTT by 
using the interpretation of emTT into mTT described in uni. Therefore in the following we are 
going to define a realizability interpretation just for mTT, to get one also for emTT. 

2.3 Untyped syntcix of niTT"^ 

Usually in type theory the syntax is introduced in fieri; for example terms are introduced typic¬ 
ally after deriving some conditions or constraints which are required to define them. However for 
semantical purposes it looks more convenient to present the syntax a priori in a partial way by 
eliminating parts of usual restrictions. 

Therefore, since we want to dehne a realizability interpretation for mTT®, we introduce here 
the syntax of all mTT®-type and term constructors in a partial way and we refer the reader to look 
at m for all the mTT-rules. Then we will define a partial interpretation for terms of our extended 
syntax and check that this interpretation is well defined in case the constraints for introducing them 
are validated by the model. 

Definition 2.1. Let [x] be a context, i. e. [x] = [xi, ...,Xn] is a possibly empty list of distinct variables. 
Terms, small propositions, sets, propositions and collections in context are defined according to the 
following conditions. If 

1. t[x\,t' [x], t" [x], s [x, y ], s' [x, y ], r [x, y,z\,q [x, y, z, u] are terms in context; 

2. 4> [x], (j)' [x], if [x, y] are small propositions in context; 

3. A [x], A' [x], B [x, y] are sets in context; 


4- vi-!}] jV' [ 21 ] I P [^i y] propositions in context; 

5. D [x], E’ [x, y] are collections in context, 
then 

1. Xi [x\ is a term in context; 

the empty set eliminator empQ(i) [x] is a term in context; 

the singleton constant-k [x\ and the singleton eliminator Eli<[^{t,t') [x] are terms in context; 

the zero constant 0 [x], the successor constructor succ{t) [x] and the eliminator of natural num¬ 
bers Elf^{t,t', {y,z)r) [x] are terms in context; 

the lambda abstraction of dependent product Xy.s [x] and its application Ap{t,t') [x] are terms 
in context; 

the pairing of strong indexed sum {t,t') [x] and its eliminator El^{t, (y,z)r) [x] are terms in 
context; 

the first injection of binary disjoint sum inl(t) [x] and its second injection inr(t) [x] and its 
eliminator El^{t, {y)s, {y)s') [x] are terms in context; 

the empty list e [x], the list constructor cons(i, t') [x] and its eliminator El^istit, t', (y, z, u)q) [x] 
are terms in context; 

the false eliminator ro(<) [x] is a term in context; 

the pairing of conjunction {t,^ t') [x], and its first and second projections 7rf (i) [x] and (i) [x] 
are terms in context; 

the first injection of disjunction inlv(i) [x], the second injection of disjunction inrv(i) [x] and 
its eliminator El\j{t, (y)s, (]j)s') [x] are terms in context; 

the lambda abstraction of implication X^y.s [x] and its application Ap^{t,t') [x] are terms in 
context; 

the pairing of existential quantification (t ,3 t') [x] and its eliminator El^(t, (y, z)r) [x] are terms 
in context; 

the lambda abstraction of universal quantification X\/y.s [x] and its application Apy(t,t') [x] are 
terms in context; 

the Propositional Identity term constructor id(i) [x] and its eliminator El\d{t,t',t", {y)s) [x][l 
are terms in context; 

^The rules for these constructors derive from those of List(N\) in mTT by identifying 0 with e, succ(t) with 
cons(t,*) and ,{y, z)r) with {v^yj z)r). 

^In the rules for ld(A, a, b) of mTT the eliminator El\,i(p,{x)c) is substituted by an eliminator El\,i{a,b,p,{x)c) 
with explicit reference to a £ A and b £ A. The rules remain the same. 
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the empty set code A^o[iE]> the singleton code the natural numbers set code iV[ 2 .], the 

dependent product code (IIj/ G Gl)s[x], the dependent sum code {Tty G the disjoint sum 

code t+t'[x}, the list code List{t)[x}, the falsum code _L, the conjunction code tf\t', the disjunc¬ 
tion code tVt', the implication code t^t', the existential quantification code {3y G ^)s[:£], the 
universal quantification code (Vy G Gl)s [x] and the propositional identity code \d{A,t,t') [x] are 
terms in context; 

2. _L [x] is a small proposition in context; 

T{t) [x] is a small proposition in context; 

^ A [x], fiV (j)' [x] and ^ [x] are small propositions in context; 

{3y G Gl) f/) [x] and (Vj/ € A) [x] are small propositions in context; 

\d{A,t,t') [x] is a small proposition in context; 

3. (j) [x] is a set in context; 

Nq [x] , Ni [x] and N [x] are sets in context; 

(n?/ € A) B [x], {Ty G Gl) i? [x], A-\- A' [x] and List{A) [x] are sets in context; 

4 . 4>[x\ is a proposition in context; 

rj A rj' [x\, riV rj' [x] and rj ^ ij' [x] are propositions in context; 

{3y G D) p [x] and (Vy G D) p [x] are propositions in context; 

\d{D,t,t') [x] is a proposition in context; 

5. rj [x] is a collection in context; 

A [x] is a collection in context; 

Set [x] is a collection in context; 
props [x] is a collection in context; 

A —> props [x] is a collection in context; 

{Ty G D)E [x] is a collection in context. 

For sets in context A [x] we define an abbreviation A [x] as follows: 

1. _L, Nq, Ni and N were already defined; 

2. {{A^^Ta) B) = {Af^A) B, {{Tf^) B) = {Tf^A) B, 
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3. A + A' = A+A', List{A) = List{A), 

4- ^ A 0 ' = (/) A (/)', (pV (j)' = (p 9 (j)' , (p ^ (p' = (p^(p', 

5. {{3y e A)ip) = {3y € A) ip, ((Vy &A)ip) = {Vy € A) ip, ld(A, t, s) = Id {A, t, s), 

6. Tpt) = t. 

It is clear that the previous definition is overabundant with respect to the common use in type 
theory. We introduced some terms which we will never find in any standard type theory, as for 
example the term 0 AEIn-^(Xx.x, X^y.y) which is obtained by gluing together terms which usually 
have types which are not compatible. For example 0 is usually typed as a natural number, while A 
connects codes for small propositions. 

3 The realizability interpretation for mTT® 

The preliminary step in the presentation of the Kleene realizability interpretation consists in present¬ 
ing the theory of Inductive Definitions IDi in which we will interpret mTT®. 

3.1 The system IDi 

The system IDi is a predicative fragment of second-order arithmetic, more precisely it is the predic¬ 
ative fragment of second-order arithmetic extending Peano arithmetics with some (not necessarily 
least) fix points for each positive arithmetical operator. Its number terms are number variables (we 
assume that these variables are equal to those of mTT^ ), the constant 0 and the terms built by 
applying the unary successor functional symbol succ and the binary sum and product functional 
symbols -I- and * to number terms. Set terms are only set variables X,Y,Z.... The arithmetical 
formulas are obtained starting from t = s and teX with t, s number terms and X a set variable, 
by applying the connectives A, V, -i, —^ and the number quantifiers Vx, 3x. Moreover let us give the 
following two definitions. 

Definition 3.1. An occurrence of a set variable X is positive in an arithmetical formula ip if and 
only if (fi is tsX for some number term t or ip is ip A ip', ip' A ip, ip W ip', ip' y ip , ip' ^ ip, 3x ip or 
\/xip and the occurrence of X is a positive occurrence of X in ip. 

Definition 3.2. An arithmetical formula ip with exactly one free number variable n and one free 
set variable X which occurs only positively is called an admissible formula. 

In order to define the system IDi we add to the language of arithmetic a unary predicate symbol 
Pif, for every admissible formula . The atomic formulas of IDi are 

1. t = s with t and s number terms, 

2. tsX with t a number term and X a set variable, 

3. P(p(t) with t a number term and ip an admissible formula. 

All formulas of IDi are obtained by atomic formulas by applying connectives, number quantifiers 
and set quantifiers. 

The axioms of IDi are the axioms of Peano Arithmetic plus the following three axiom schemata: 
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1. Comprehension schema: for all formulas ipix) of IDi without set quantifiers 

3X'ix{xeX o :p{x)) 

2. Induction schema: for all formulas :p{x) of IDi 

(<^(0) A 'ix(}p(x) —>■ ip{succ{x)))) \/x (p(x) 

3. Fix point schema: for all admissible formulas ip 

ip[P^/X] eA P^p(x) 

where ip[P^/X] is the result of substituting in ip all instances of xeX with P^{x). 

The system IDi allows us to define predicates as fix points, by using axiom schema 3, if they 
are presented in a appropriate way (i. e. using admissible formulas). 

A definable class C of IDi is a formal writing {a::|i^(a::)} where ip{x) is a formula of IDi. In this 
case we write xeC as a shorthand for ip{x). 

Notation of computable operators in IDi. 

As it is well known, it is certainly possible to express a Godelian coding of recursive functions 
in IDi using Kleene’s predicate since it is already possible to do this in PA. In particular we 
can consider a definitional extension of IDi (which we still call IDi) in which there are terms with 
Kleene’s brackets {t}(s) and there is a predicate {t}(s) i stating that the term with Kleene’s brackets 
is well defined (s is in the domain of the recursive function coded by t). We will write Sp) 

as a shorthand defined by induction: it is {t}(si) if n = 1 while if n > 1 and if we have already 
defined {t}(si,..., Sp), then {t}(si,..., Sp+i) = {{t}(si,..., Sp)}(sn+i). We denote by succ a numeral 
for which in {succ}(x) = succ{x) in IDi. 

As we well know, the s-m-n lemma (see e. g. dl) gives the structure of a partial combinatorial 
algebra to natural numbers endowed with Kleene application and this structure can be expressed in 
IDi. In particular we can find numerals p, Pi,P 2 representing a fixed primitive recursive bijective 
pairing function with primitive recursive first and second projections. We will write pi{x), P 2 {x) and 
{x,y) as abbreviations for {pi}(a:), {p 2 }(a:) and {p}(a;, j/) respectively. It is also possible to define a 
numeral itti representing the definition by cases ({ite}(n, m, 1) if n = 0, {ite}(n,m, Z) ~ I if 

n ^ 0). We can also encode recursively finite list of natural numbers with natural numbers in such 
a way that the empty list is coded by 0 and the concatenation is a recursive function which can be 
coded by a numeral cnc. We have moreover numerals rec and listrec representing natural numbers 
recursion and lists recursion. These numbers in particular satisfy the following requirements: 

1. {rec}(n, m, 0) ~ n; 

2. {rec}(n, m, fc + 1) ~ {m}{k, {rec}(n, m, k)); 

3. {listrec}(n, m, 0) ~ n; 

4. {listrec}(n, m, cnc(fc, 1)) ~ {m}(fc, I, {listrec}(n, m, k)). 

For this representation of lists, the component functions (—)j, turn out to be recursive. 

Moreover we can always define A-terms An.t in IDi for terms t built with numerals, variables and 
Kleene application, in such a way that {Ax.t}{n) ~ t[n/x] and {Axi...Aa:n.t}(n) ~ Ax 2 ---Axr^.t[n/xi]. 

then else 

~ b means that a J, if and only if b 4 and in this case a = b in IDi. 
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3.2 The definition of interpretation 

The realizability interpretation for mTT® we are going to describe is a modification of Beeson’s 
realizability semantics [5] for the extensional version of first order Martin-L6f’s type theory with one 
universe m- So it will be given in IDi as Beeson’s one. Here we describe the key points of such 
an interpretation on which we follow Beeson’s semantics: 

- all types of mTT'* are interpreted as quotients of definable classes oi IDi, intended as classes of 
“their realizers”. In particular we use Beeson’s technique of interpreting Martin-L6f’s universe 
to interpret the collection of (codes for) small propositions of rnTT'*. In order to do this it is 
crucial to have fix points and hence this is why we work in the theory IDi ] 

- terms are interpreted as (codes) of recursive functions; 

- equality between terms in context is interpreted as extensional equality of recursive functions; 

- the interpretation of substitution will be proven to be equivalent to the substitution in inter¬ 
pretation; 

- we interpret A-abstraction by using s-m-n lemma of computability, but then, in order to 
validate the condition of the previous point, we impose equality of type-theoretic functions to 
be extensional. Therefore the principle of Extensional Equality of Eunctions will turn out to 
be valid in our model. 

Instead we do not follow Beeson’s semantics in the interpretation of propositions: 

- in order to validate formal Church Thesis we interpret propositions as trivial quotients of 
original Kleene realizability. As a consequence Martin-Lof’s isomorphism of propositions-as- 
sets together with the validity of the Axiom of Choice is not validated in our realizability 
semantics contrary to Beeson’s one. 

We can summarize the interpretation of terms and types with the following table: 


Terms 

(codes) of recursive functions 

Collections 

Quotients of definable classes (C, ~) 

Propositions 

quotients of definable classes on trivial ~ 


The interpretation of terms 

Before giving the interpretation of mTT®-terms, we need to present explicitly a convention about 
how to encode mTT^’-sets with numerals. We will code sets as {p}(a, (&i,..., &„)), where a is a 
number coding a particular constructor and (6i, ...,&„) is a lists of codes for ingredients needed by 
the constructor itself. The following table makes evident the choices for a: 


Nn, Nt , N 


n 


s 


+ 


A 


V 


3 


V Id 


1 2 3 4 5 6 7 


9 


10 11 


12 


Notice that codes for small propositions must have a > 5. 

We can now proceed to the definition of the interpretation of mTT®-terms. 

® A quotient is trivial if it is determined by a trivial relation i. e. a relation for which all pairs of elements are 
equivalent. 
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Definition 3.3. Terms in context t[xi, ...,Xrt] are interpreted as 

X{t[xi, Xn]) = h.Xi...KXn-X{t) 

where I{t) are terms of the extended language of IDi defined as follows 

1. If X is a variable, then I(x) = x; 

2 . X(emp(,(f)) =X(ro) = 0; 

3. I(*) =0 and I {El N fit, t')) =I{t'); 

4 - 1(0) = 0 and T{succ{t)) = {succ}(I(t)), 

X{ElM{t,t',{y,z)r)) = {vec}{X{t'), EyAz.X{r),X{t)); 

5. X{\y.s) = X{\^y.s) = X{Xyy.s) = Ay.X{s), 

X{Ap{t,t')) =X{Ap^{t,t')) =X{Apfit,t')) = {X{t)}{X{f)); 

6 . X{{t,t'))=X{{t,^t'))=X{{t,^t')) = {p}{X{t),X{t')), 

X{El^{t, {y, z)r)) = X{Elfit, {y, z)r)) = {Ay.Az.X{r)}{{pi}{X{t)), {p 2 }(X(f))); 
I(7rf(f)) = {pi}(X(t)), 

X{'K^{f)) = {p 2 ){X{f)); 

7. I(inl(f))=I(inlv(f)) = {p}(0,I(f)), 

X(inr(<)) =2:(inrv(t)) = {p}(l,X(t)), 

X{El+{t, {y)s, {y)s')) = X{Ely{t, {y)s, {y)s')) = 
{ite}{pfiX{t)),{Ay.X{s)}{{p 2 }{X{t))),{Ay.X{s'm{p 2 }{X{tm; 

8 . 1(e) = 0 and X{cons{t,t')) = {cn.c}{X{t),X{t')), 

ElList{t,t',{y,z,u)q) = {listrec}{X{t'), Ay.Az.Au.X{q),X{t)); 

9. I(id(f)) = 0, 

X{Elid{t,t',t",{y)s)) = {Ay.X{s)}{X{t)); 

10. X(Fo) = {p}(l,0),I(Fi) = {p}(l,l) andX{N) = {p]{l,2), 

X{{Tlf^A)s) = {p}(2, ({p}(I(I), {Ay.X{s))))), 

XfiEy e A)s) = {p}(3, {{p}{X{A), {Ay.X{s))))), 

Xit+t') = {p}iA{{p}iXit),Xit'))), 

X{List{t)) = {p}(5,I(t)), 

I(l) = {p}(6,0), 

X{tAt') = {p]{7,{{p]{X{t),X{t'))), 
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I(tW') = {p}(8,({p}(X(t),X(f))), 

I{{3y G A)s) = {p}(10, ({p}(I(l), (Aj/.I(s))))), 

I((Vj/ G A)s) = {p}(ll, ({p}(I(A), (Aj/.I(s))))), 

X(ld(A,t,t')) = {p}(12,({p}(I(I),({p}(I(t),I(t')))))), 

For the sake of example let us consider the interpretation of the term in context t[x, y, z] defined 
as \d{\d{N,x,x),y,z)[x,y,z]: 

^{t)[x,y,z]) = Ax.Ay.Az.I(\d{\d{N,x,x),y,^y)^ 

= Ax.Aj/.Az.{p}(12, {p}(X(ld(Af, x, x)), {p}(j/, z)) 

= Ax.Ay.Az.{p}(12, {p}{I{\d{N, x, x)), {p}(y, z))) 

= Ax.Aj/.Az.{p}(12, {p}({p}(12, {p}(I(iV),{p}(x,x))), {p}(j/,z))) 

= Ax.Aj/.Az.{p}(12, {p}({p}(12, {p}({p}(l, 2), {p}(a;, x))), {pXy, z))). 

We say that an interpretation of a term in context t[x] is well defined if I(t[x]) is provable in 
IDi. Notice that the interpretations of terms in non-empty contexts are always well defined. 

Notice moreover that in IDi 

1 . 

2 . X{ElN{9,t,{y,z)s)) 

3. X{ElN{s\icc{t'),t, {y,z)s)) ~X{s)[X{t')/y,X{ElN{t’,t, {y,z)s))/z\ 

4. I(Ap(A7/.s,t)) ~X(s)[I(t)/y]; 

5. X(Ap^(A^y.s,t)) ~I(s)[I(t)/j/]; 

6. X{Apy{\sjy.s,t)) ^1{s)[X{t)/y\, 

7. X{EU{t,t')Ay,z)r))^X{r)[X{t)/y,X{t')/z]-, 

8. X{El 3 {{t,^t'),{y,z)r)) zzX{r)[X{t)/y,X{t')/z\] 

9. xK((ut')))-iW; 

10 . X{7r^{{t,^t')))^X{t'y, 

11. I(£;/+(inl(t),(j/)s, (j/)s')) zzX{s)[X{t)/y]; 

12. X{El+{\nr{t), {y)s, {y)s')) zzX{s')[X{t)/y]; 

13. X(F;/v(inlv(t), (2/)s, (2/)s')) - ^is)[X{t)/y]; 

14. X(F;/v(inrv(t), (y)s, (y)s')) - ^is')[^it)/y]; 

15. X{Eh,it,\d{t),iy)s)) ^Xis)[X{t)/y]; 

16. X{ElList{e, t', {y, z, u)q)) ~ I(t'); 

17. X{ElLtsticons{t, {y, z, u)q)) zz X{q)[X{t)/y,X{t")/z,X{ElLtst{t, t', {y, z, u)q))/u]. 
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The interpretation of sets 

Here we define the interpretation of sets in mTT® with the exception of those obtained as r(p) for 
some term p. Every such a set is interpreted as a definable quotient of a definable class of IDi (and 
actually of HA). This means that every set A is interpreted as a pair 

where is a definable class of IDi and ^x{A) is a definable equivalence relation on the class 

J{A). 

Since sets in mTT include small propositions, here we also define a realizability relation between 
natural numbers and propositions. Indeed it is more convenient to define the realizability inter¬ 
pretation of propositions by adopting an extension of usual Kleene’s interpretation of intuitionistic 
connectives. 

Note that we use the notation I{A)[s/y\ to mean the definable class in which we substitute y 
with s in the membership and in the equivalence relation of 1{A). 

Definition 3.4. We define in IDi a realizability relation n \\- between natural numbers and small 
propositions, by induction on the definition of small propositions simultaneously together with the 
definition of the following formulas nej (T) and n '^x(A) ^ for sets A, by induction on the definition 
of sets (with the exception of those obtained using tIjj) for some term p), as follows: 

(±) n Ih ± is _L; 

(a) n Ih is (pi(n) Ih fi) A {p 2 {n) Ih fi'); 

(V) n \\- (fy (j)' is (pi(n) = 0 A P 2 {n) Ih fi) V (pi{n) ^ 0 A P 2 {n) Ih </>'); 

(—>■) n \\- (j) ^ (j)' is\/t{{t Ih (p) —)• ({n}(t) Ih (p')); 

(3) n Ih (3x € A)-ip ispi{n)eJ{A) A {p 2 {n) Ih ipfipipn)/x\; 

(V) n Ih (Vx € A) Ip isyx{xeJ{A) -a ({n}(a:) Ih ip)); 

(Id) n Ih ld(H,t, s) isX{t) '^x(A) 2r(s); 

{Nq) neJlNo) is 1. and 
n ~i(Aro) 'OT- -L; 

(A^i) neJ{Ni) is n = 0 and 

n ~x(Ari) w is n = 0 An = m; 

(N) n£j{N) is n = n and 
n ~x(Ar) m is n = m; 

(n) n £ J{{Jlx & A) B) is 

yx{x£j{A) -A {n}(a:) e J(B)) A VxVy (x ~x(A) V -A {»^}(a:) ~i(b) {»^}(y)}Il and 

®Note that the variable x may be in X(B) here and in the following definition for IT and S sets, as it comes from 
the definition of the untyped syntax. 
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n '^x{{nx^A)B) w is 

ne € A)B) a m£j{(Jlx G A)B) A Vx (xeJ'lA) -a {n}{x) ~x(b) {^K^;)); 

(S) n e {{TiX G A) B) is pi{n) e J{A) A'ix{x ^x(K) Piin) ^ P 2 {'n) £ J{B)) and 

n ~i((Ea:eA)B) w *5 the conjunction ofneJ{{'Bx G A)B) /\meJ{{Yix G A)B) and 
Pi{n) ~i(A) Piim) A Vx(x ~x(A) P2{n) ~x(ij) P2{m)); 

(+) ne J{A-G A') is {pi{n) = G/\p 2 {n) e J{A))\/{pi{n) = \ ^p 2 {n) e J{A')) and 

n ~x(A+A') w is the conjunction of ne J{A-\- A') /\me J{A + A') A pi(n) = pi(m) and 
(pi(n) = 0 A p2in) ~x(A) P2im)) V (pi(n) = 1 A p 2 (n) ~x(A') P2im)); 

(List) neJ(List{A)) isVj{j <lh(n) -A {n)jeJ(A)) and 

n '^x{List{A)) ITT' is the conjunction of ne J(List{A)) A m e J(List{A)) and 
lh(n) = lh{m) A Vj (j < lh(n) -A {n)j ~x(A) im)j); 

(f/') nej'('ip) isnW-ip and 

n ''^xi'ip) w is nejlyif) A mej{xf) (i. e. proof-irrelevance). 

Remark 3.1. We can notice some preliminary properties of this realizability interpretation: 

1. for every set A we have that ~x(A) is really a definable equivalence relation on the definable 
class J{A), in fact 


neJ{A) n ~x(A) n 

n ~x(A) m ^ ^ 

n ~x(A) TO A m --x(A) I ^^ ^x{A) I 

2. for every set A we have that 

n'^x(A) m \-YJj ne J{A) Ame J{A) 

3. if numerical sets are defined according to the following conditions 

(a) No, Ni and N are numerical sets; 

(h) if A and B are numerical sets, then (Ex G A) B, AB and List{A) (if they are well 
defined) are numerical sets, 

then the equality of the interpretation of numerical sets is numerical, which means that 

n ~x(A) TO n = TO 

4- for all propositions if, the equivalence relation ^x{'ii:) is trivial (i. e. all pairs of elements ofI{fj) 
are equivalent). This means that uniqueness of propositional proofs, called proof-irrelevance, 
is imposed. 
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The encoding of all niTT®-sets 

In the previous sections we have seen the interpretation of niTT®-sets which include small propos¬ 
itions. It remains to define the interpretation of proper collections, including that of sets, small 
propositions and small propositional functions on a set. 

The interpretation of the collection of small propositions Set in IDi is the most difficult point and 
to define it we mimick the technique adopted by Beeson [5] to interpret Martin-L6f’s universe via a fix 
point of some arithmetical operator with positive parameters. Hence, it is to define the interpretation 
of Set, and in turn of the collection of small propositions props and of small propositional functions 
A props on a set A, that we need to employ the full power of IDi with fix points. 

The idea is to define a /Di-formula which defines codes of sets with their interpretation as a 
fix point. It appears necessary to define called Set(n) expressing that n is a code of an mTT®-set 
together with its realizability interpretation in IDi. Observe that in mTT® the type of all sets is 
not present and hence no mTT'*-type will be interpreted as {n| Set(n)}. As in Beeson’s semantics, 
to define the formula Set(n) of set codes with their arithmetical interpretation in IDi we need to 
encode membership and equality of sets: ten and t =„ s. In turn in order to define them, we need 
to represent the notion of a family of sets used to interpret an mTT®-dependent set. 

A family of sets coded by m on a set coded by n could be described by the formula 

Set(n) A \/t{ten —)• Set({TO}(t))) A 

VtVs(t =„ s (Vj(je{TO}(t) O je{m}{s)) A VjVfc (j ={m}(t) k ^ j ={m}(s) k))). 

But in this formula not all occurrences of ten and t =„ s are positive. However it is classically 
equivalent to the conjunction of the formula Set(n) A {^ten V Set({m}(t))) and the formula 
VtVs (-it =„ s V (Pi A P 2 )) where Pi is 

Vj ((-'je{TO}(i) V je{m}{s)) A (-.je{m}(s) V je{m}{t))) 

and P 2 is 

VjVfc ((-ij k W j =[jn}(s) k) A (-ij k y j ={m}(t) k)) 

simply substituting all the instances of the schema a ^ b with the classically equivalent —>a\/b. Now 
the trick consists in defining some predicates n and t s mimicking the negations of ten and 
t =n s as fix point predicates, too, in order to get a a positive arithmetical operator. Note that 
the use of a classical arithmetic theory with fix points seems unavoidable to be able to interpret 
the collection of sets via a positive arithmetical operator. 

From now on we write 

Fam(m,n) = Set(n) A Vt (t ^ n V Set{{m}{t))) A VtVs (t s V A P 2 )) 

where P{ and P 2 are obtained from Pi and P 2 by substituting negated istances of membership and 
of equality predicates with their mentioned primitive negated versions 

Pi = Vj((j^{TO}(t) V je{m}{s)) A (j ^ {m}(s) V je{m}{t))) 

P 2 = '^j'^k ((j k V j k) A (j k V j k)). 

In order to define the positive clauses for the codes of sets we must introduce some notations. 
In this way we transform the clauses for realizability for sets automatically in the clauses needed to 
define the fix points Set(n), ten, tf n, t =„ s and t s. 

First of all, we define a function [ ] which assigns a value to a set according to the table in section 
3.2 as follows. 
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1. if a is one of the symbols A, A', B, cj), cj)', ip, t, s, then [a] is a, a', {b}{x), c, c', {d}(a;), e, / 
respectively; 

2. if a is Nq, Ni, N, (Ila; e A)B, (Ex £ A)B, A + A', List{A) then [a] is (1,0), (1,1), (1,2), 
{2,{a,b)), (3, (a, 6)), (4, (a, a')), (5, a) respectively; 

3. if a is J-, (j) Alp', (pW p', p -A p', (3x £ A) p, (Vx € A) p, ld(A, t, s) then [a] is (6,0), (7, (c, c')), 
(8, (c,c')), (9, (c,c')), (10, (a, d)), (11, (a, d)), (12, (a, (e,/))) respectively. 

We denote by [ ]“^ the inverse function of [ ]. Now, all clauses in the realizability interpretation of 
sets are defined using formulas which are obtained starting from arithmetical formulas or primitive 
formulas with e or by using connectives, first order quantifiers or explicit instances of substitution 
in X. For such formulas ip we define as follows: 


1. if is arithmetical, then ip^ is defined as ip itself. If is a primitive formulas with e or ~ we 
will transform ejpj) and "^i(cr) in e [cr] and =[o-] respectively, in order to obtain tp''^] 

2. pp[a/x\)^ is (^■'■[a/x]; 

3. {(p A is A 

4. {if V (/?')+ is V (p'+; 

5. {p -A p')^ is p+ V p'^] 

6. (Vu (/?)“'" is ^up'^ for every variable u; 

7. (3m is 3up'^ for every variable u; 

where p is defined by the following clauses: 


1. if is an arithmetical formula p is ->p; 

2. if is a relation between two terms through e, ^, = or then p is obtained by transforming 
them in e, ^ or = respectively; 

3. pAp'ispW p'] 

4. p\/p'ispA p'] 

5. \/u p is 3up for every variable m; 

6. 3 m p is \lup for every variable m; 

We can now define the positive clauses we needed. For r equal to (1,0), (1,1), (1, 2), (2, (a, b)), 
(3, (a, &)), (4, (a, a')), (5, a), (^0), (7, (c, c')), (8, (c, c')), (9, 
we have the following clause4j: 


(c, c')), (10, (a, d)), (11, (a, d)), (12, (a, (e, /))) 


1. Set(T) if Cond(T); 

’^By and n '^x([r]-i) ^ mean the right-hand side of the respective clause in the realizability 

interpretation of sets, taking into account that for small propositions membership coincides with the realizability 
relation. 
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2. ner if Cond(T) A (n e ; 

3. n^T if Cond(T) A (ne J'([t]“1))+; 

4. n =T TO if Cond(r) A (n ~i([r]-i) to)’*'; 

5. n rn if Cond(r) A (n ~i([r]-i) to)+; 

where Cond(T) is 

1. T if T has first component 1 or 6; 

2. Fam(&, a) if r has first component 2 or 3; 

3. Set(a) A Set(a') if t has hrst component 4; 

4. Set(o) if T has hrst component 5; 

5. Set(c) A Set(c') A 7ri(c) > 5 A 7ri(c') > 5 if r has hrst component 7, 8 or 9; 

6. Fam((i, a) A Vx (x ^ a V 7ri({(i}(x)) > 5) if r has hrst component 10, 11; 

7. Set(o) A eea A fea if t has hrst component 12. 

By sake of example we present here the clauses for codes of ll-sets. 

Set((2, (a, b))) if Fam(&, a); 
ne (2, (a, h)) if 

Fam(&, a) A Vx (x ^ a V {n}(x) £ {&}(x)) A VxVy (x y ^ {n}{x) ={6}(a;) {n}iy))] 
nt (2, (a, 6)) if 

Fam(6,a) A (3x(x£a A {n}(x) ^ {&}(x)) V 3x3y{x =a y f\ {n}{x) ^{b}ix) {’^Kl/))); 

n ={2,{a,b)) TO if 

Fam(5, a) A ne(2, (a, &)) A me {2, {a,b)) A Vx (x ^ a V {n}(x) {to}(x)); 

n ^(2.(a,6)> TO if 

Fam(6, a) A (n^(2,(a, 6)) V to ^(2, (a, 6)) V 3x(xea A {n}(x) {to}(x)) 

The formulas Set(n), ten, tfn,t =„ s and t s are components of a predicate P 0 {n) dehned 
in IDi as a hx point of an operator 9{n,X) dehned by glueing together the clauses expressing the 
code of each mTT^-set-constructor with its interpretation in IDi. 
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The interpretation of collections 


Here we extend the realizability relation, membership and equality in definition 13.41 in order to 
interpret collections, propositions and the decoding operators. 

Definition 3.5. n \\- (j) between natural numbers and mTT-propositions and formulas neJ{D) and 
n ~i(_D) m for collections D are defined by including all clauses in definition \3.Ji\ plus the following: 

1 . n Ih t(p) and ne are both given by nel{p) 

n ~i(r(p)) rn is nej (r(p)) AmeJ (r(p)); 


2. The realizability relation n Ih 77 for propositions is completely analogous to the realizability 
relation for small propositions and the interpretation of propositions is given by the class of 
realizers equipped with the trivial equivalence relation; 


3. Yj- collections are interpreted exactly in the same way as Y-sets; 


4- neJ'(Set) is Set(n) A \/t {te n <rA -<t n) A Vt\/s ft =„ s AA ^t s). This is because 'f and 

which are defined by fix point, don’t behave necessarily as negations ofe and = and hence 

we need to add Vt (t en O -■t 'f n) and \/t\/s (t =„ s o -it s); 

The interpretation of n ~i(Set) 'xn is 

n s J'(Set) AmeJ (Set) A 'itften ^ tern) A VtVs {t =n s t =m s ); 

5. n£j'(props) is neJ{Set) A 7ri(n) > 5 A \/t'sls{ten A sen AA t =n s) (recall that small 

propositions are encoded with 7 ri(n) > 5 and enjoy the proof-irrelevance); 

The interpretation of n ~x(props) xn is nejfpropfj A mej7(props) A 'Mtften e-t tern); 


6 . neJ{A props) is 'it'is {t r^x(A) s -A- {n}{f) ~i(propA {’T'Ks)) 
and n --z(A^props) rn is 

neJ{A^ props) A meJ{A^ props) A ^tfteJ{A) -A- {n}ft) ~i(propA {m}ft)) 

The interpretation of judgements 

We now need to say how judgements are interpreted in our realizability model. First of all, if 
A = {A, and B — {B, are definable classes of IDi equipped with a definable equivalence 

relation, then we denote with A = B the formula VtVs ft s ■(-)• t s). 

The judgements of mTT® are interpreted as follows: 


1. if type G {set, col,props,prop}, the interpretation of A type is I{A) = I{A)-, 

2. if type G {set, col,props,prop}, the interpretation oi A = B type is T{A) = T{B); 

3. the judgement t G H is interpreted as X(t); 
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4. the judgement t = s € A is interpreted as Ht) ‘^x{A) 


5. if type € {set, col,props,prop}, the interpretation of A type [xi € Ai,..., € A^] is 

Va;iVj/i...Va;nV?/n (a;i ^z{Ai) Vi A ... A Xp ~i(a„) Vn ^ liA) = I{A) [yi/xi, ...,y„/xu])E 

6. if type G {set, col,props,prop}, the interpretation oi A = B type [xi G Ai,..., Xn G A^] is 

Va;i...Va;n {xieJ{Ai) A ... A XneJ{A„) -a X{A) =X{B)) 

7. the judgement t G A[xi G A\, ...,Xn G An] is interpreted as 

Va:iVyi...Va:nVyn (Xl Vi A ... A Xn ^x{a„) Vn -t X{t) '^x{A) ^{t) [vi/xi,.., yr^/xn\) 

8. the judgement t = s G A[xi G Ai, ....,Xn G An] is interpreted as 

Va:i...Va;n {xieJ{Ai) A ... A XneJ{An) -G X{t) ~x(A) 2i(s)) 


3.3 The validity theorem 

A judgement J in the language of mTT'* is validated by the realizability model {TZ N J) if /Di h X( J), 
where X[J) is the interpretation of J according to the previous section. We say that a proposition (j) 
is validated by the model {TZ t= 0), if its interpretation can be proven to be inhabited, which means 
that 

IDi h 3r{reJ'{(j))) which is equivalent to IDi h 3r(r Ih (j)). 

In order to prove how substitution is interpreted in a easy way, it is convenient to modify the 
presentation of mTT'* -rules, into an equivalent system (still denoted by mTT'’), where we supply 
the information that the members in a type equality judgement are types, and members of term 
equality judgements are typed terms as follows with the warning of avoiding repetitions of same 
judgements: for type G {set, col,props,prop} 


any rule 




is changed to 


A type [T] , B type [b] 


A = B type [F] “ A = B type [F] 

B type [F] 

6?^ .s changed to -- 

Ji...Jri . , ,, Ji...Jn, a G Atype[T] , b G Atype[T] 

any rule -;-—is changed to -;- 1 -p—i- 

a = bGA[r] ^ a = bG A type [F] 

the substitution rule subT) and sub) in [10] are changed to 

C{xi,...,Xn) type [xi G Ai, ..., Xn G ..., x„_i) ] 

^1 G Ai, ... , Uyj G Aji (ui, . . . , On— l) 1^1 G Ai, ... , bn G An {bi, . . . , bn — l) 

Oi = bi G Ai . . . On = bn G An{ai, . . . , On-l) 

C{ai,..., On) =Cibi,...,bn) type 


®Note that this definition and the following exploit the fact that mTT-variables are interpreted as themselves 
thought of as /Di-variables. 
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c{xi, ...,Xn) G C{xi,. ..,Xn) [xi G ^1, . . . , X„ G An{xi,. . .,Xn-l)] 

C{xi, ...,Xn) type [xi G Ai, ..., x„ G A„(xi,.. .,Xn-i)] 

G ^1, • ■ • 5 (In G v 4 . 7 ^(oi, • ■ • 5 ein — l) t>i G ^1, • . • , bji G ■ 5 ^n —1) 

^ ^ G . . . (In — bn G An{(ll^ ■ • ■ j (^n—l) 

™ c(ai ,..., a„) = c(6i, G C(ai ,..., a„) 

the formation rules F-E), F- 3 ) and F-V) are changed to 


B col B col 

p ^ C{x) col [x G B] p ^ C{x) prop [x G B] 
^xgbC{x) col 3 x(zbC{x) prop 

the elimination rules E-II) and E-V) are changed to 


B col 

C(x) prop [x G B] 
Mx(^bC{x) prop 


C{x) set [x G B\ C{b) set C{x) prop [x G B\ C{b) prop 

^ b & B / G Iix^BC{x) 17 w \ b € B / G \/xgbC{x) 

■ Ap(/,6)GC(&) ■ Apv(/,&)GC(6) 

Note that each mTT®-type is a collection and therefore in deriving a typed term b € B under 
a context the addition of the information that the type B is a collection in the premise is certainly 
valid. 

Theorem 3.1 (Validity theorem). For every judgement J in the language 0 /mTT^ , if J can be 
proven in mTT® fmTT® F JJ, then J is validated by the model (Ti\= J). 

Proof. 

In order to prove the validity theorem it is necessary to prove by induction on the height of the 
proof tree in mTT® these three facts at the same time: 

1. for every judgement J in the language of mTT®, if mTT® h J then TZ\= J; 

2. (substitution) If mTT® F C type [xi G Ai,x„ G A^] for type G {set, col,props,prop} for all 

mTT® F ai G [yi G Bi, ..., y^ G Bm], ■■■, 

mTT FUfi G i][yi G Bi ,y^, G : 

if 7^ F oi G G Bi,j/m G Bm],..., 

F Up (z Ai[,\a\!X\,..., a^—i/Xn—\\\]J\ G B\,y^^ G Bnf\, 

then 

IDi ^ \/yi..My„,{yi£ J{Bi) ^ ^ y„,£ J{B„,) 

T{C) [I{ai)/xi, ...,T{an)/x„] = T(C [oi/xi,Op/xn]) 
and if mTT® F c G C[xi G .4i, ...,Xp G A„] for all 

mTT® F ai G [yi G Bi, ..., y^ G B^], 

mTT Fup G j4p[Q,i/xi,...,(Zn_i/xp_i][yi G Bi ,..., y^n G 77m ]: 
if 7^ F oi & Ai[y I G i7i,j/m G B^],..., 

7^ F ftp (z Ai[,\a\/X\,..., Oin—i jXn—\\\]j\ G B\ ,..., y^^ G 77m]? 
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then 

IDi \~ yyi...Vy^{yi£j{Bi) A ... A y^ e J{B^) -A 
X(c) ) /xi , ..., X((Zri)/3^n] ^X{C [ai/xi,...,an/xn]) 

3. (coding) If mTT® h Bset [xi S ...,n G A„], then 

IDi\- Vxi.-.Vxn {xi e J{Ai) A ... A Xn e J{A„) Set(I(_B)) A 

\/t{t£j{B) o teX{B)) A yt{-^teJ{B) ^t^I{B))A 

{t S t =x(B) '®) ^ VtVs (-if S -O' t ^I(B) ®))' 

We will prove the statements in the case in which [xi G G ^n] is [x G A] and [yi G 

Bi,...,ym G i?m] is [], as the more general case is analogous. The choice of the empty context for the 
terms which will be used in substitutions doesn’t give any loss of generality, as terms are interpreted 
as terms, variables as itselves and so everything remains true up to universal closure. 

The empty set 
Empty set Formation 

As IDi h Va;Va;'(a; ~i(a) x' -a VtVs(_L -H- _L)), then we obtain that 7^ N A^o set [a; G A]. 

Empty set elimination 

Suppose we derived in mTT® the judgment empg(a) G A[a/x\ by elimination after having derived 
a £ No and Aset[x G A^o]- By inductive hypothesis on validity IDi h X{a)eJ{No), which means 
that IDi h _L, from which, by ex falsa quodlibet, one can prove in IDi the interpretation of the 
judgment empQ(a) G A[a/x\. 

Substitution for empty set elimination 

The substitution for elimination is trivial as empQ(t) is always interpreted as a constant. 

The singleton set 
Singleton formation 

As IDi h Mx'ixfx ~i(A) x' -A = sAt = OAAt = sAt = 0)), we can conclude that 

TZ\= Ni set [x £ A\. 

Singleton introduction 

Let us prove the validity of the judgment * G A^i[a; G A]. Its interpretation is 

\/xVx'{x ~I(A) a;' 0 ^x(Ni) 0) 


which is by definition 


yxVx'^x ~x(A) a;' 0 = 0) 


which trivially holds in IDi. The substitution holds trivially, because * does not contain any variable. 
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Substitution for singleton introduction 

Substitution is trivial as !(*) and * don’t contain variables. 


Singleton elimination 

Suppose we derived in mTT^ the judgment Eliq^{t,c) G C[t/y\[x G A] by elimination after having 
derived t £ Ni[x £ A], c € C[i</y][x G A] and Cset[x £ A, y £ A^i], By inductive hypothesis on 
validity we have that in IDi 

(=k) \/x{xeJ' (A) —> I{t) = 0) 

Using (*) and the inductive hypothesis on substitution applied to C with respect to 
X G A[x G A] and t £ G A] (namely, that \/x{xeJ'{A) -£ I{C[t/y]) = 2{C)[I{t)/y])) we can 
derive in IDi that 

{**)yx{xeJ{A) -£ VtVs(t ~I(C)[ 0 /y] s ££ t ^x(C[t/y]) s)) 

and using the inductive hypothesis on substitution applied to C with respect to x G A[x £ A] and 
* G iVi [x G ^], we have that 

(* * *)\/x{xeJ{A) -£ VtVs(t ~I(C)[ 0 /y] s ££ t ^x(C[*/y]) s))- 
Using the inductive hypothesis on validity for c we obtain that 

VxVx'(x ~x(a) x' T{c) ~i(c[*/y]) '^{c)[x'/x]) 
and using (=i<=i=) and (*) we obtain that in IDi 

VxVx'(x ~i(a) x' 1(c) ~I(C[i/y]) '^{c.)[x'/x\) 

which is exactly 

VxVx (x ^x{a) X ^ 2{^El Ej') ^X(C[*/y]) N^ C^')\x /x]) 

So we have that TZ N Eliq^{t,c) £ C[t/y][x £ A], 


Substitution for singleton elimination 

In addition to the hypothesis of the previous point suppose that mTT® h a £ A and 

IDi h 2{a)sJ{A). By inductive hypothesis on substitution for c and t with respect to a we have in 

IDi that 

{*)X{c)[X{a)lx\ ^x(C[*/y][a/x]) X{c[a/x\) 

{**)X{t)[X{a)/x\ ~x(iVi) X{t[a/x]) 

In particular from (*=(:) we obtain that X{t[a/x\) = 0 in IDi. Using in (*) the inductive hypothesis 
on substitution for C with respect to * G and a £ A, and recalling that X{t[a/x\) = 0, we have 
that 

X(c)[X(a)/x] ~x(C)[i(a)/:r,o/y] X{c[a/x\) 

which is 

X(c)[X(a)/x] '^x(C)[i{a)/x,x{t[a/x])/y] X(c[a/x]). 
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Now observing that mTT® h t\a/x\ G Ni, and hence by inductive hypothesis 

TZ N t[a/x\ G -/Vi, as IDi h I{t[a/x\) = 0, we have (using substitution for C with respect to a G A 
and t[a/x] S A^i) that 

1(c) [X(a)/a:] '^I[C[a/x,t[a/x]/y]) I{c\a/x\) 


which exactly is 


X(c)[X(a)/a:] '--i(c[t/y][a/x]) X(c[a/a;]) 


and this is 

X(X/7Vi (^5 e)) [X(u)/x] ‘^X{C\t/y][a/x]) (^5 c) [^/^])■ 


Singleton conversion 

Suppose we derived in mTT® the judgment (*, c) = c[x G A] by conversion after having derived 
the judgments c S C[*/y\ [x S A] and C set [x G A, y G -/Vi]. Then by inductive hypothesis on validity 
we have that in IDi 

\/x{xeJ{A) -G X(c) ~i(c[*/y]) 
by the reflexivity of ~x(A); this is exactly equivalent to 

'ix{x£j{A) ^X{EInA-^,c)) ~I(C[*/y]) I{c)). 

So 7 ^ N El]s[-^{-k,c) = c G C[^/y\[x G A], 


The set of natural numbers 
Natural numbers formation 

Formation is trivial as X(N) does not depend on any variable. 


Natural numbers introduction 

Let us check that 7?, N 0 G 7V[a: G A], This is trivial as in IDi, we have that 

\lxix'{x ~X(A) x' —>■ 0 = 0). 

Suppose now we derived in mTT^ the judgment succ(n) G N[x G Gl] by introduction after having 
derived n G N[x G A], By using the inductive hypothesis on validity we deduce similarly that 
TZ N succ(n) G N[x G A], 

Substitution for natural numbers introduction 

The case of substitution for 0 is trivial as 0 does not contain variables. Suppose in addition to the 
hypothesis in the previous point that mTT® \- a G A and this is valid in TZ. By inductive hypothesis 
on substitution we have that 

IDi F X(n)[X(a)/x] = I(ji[a/x]) 

from which we derive 

IDi F succ{I{n)[I{a)/x]) = succ(X(n[a/x])) 

which is exactly 

IDi F X(succ(n))[X(a)/a;] = X(succ(n)[a/a:]). 
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Natural numbers elimination 

Suppose we derived Elffin, a, {y, z)b) € B[n/u][x € A] in mTT® by elimination after having derived 

1. B set[x € A,u € N], 

2. a € B^lu]\x € A], 

3. n G N[x G A], 

4. 6 G B[succ{y) / u][x G A,y G N,z € B[y/u\]. 

Using the inductive hypotheses we will first prove that in IDi 

\/x\/x'{x ^I(A) x' -G 

'^u{{vec}{T{a),kyAz.X(h), u) ~i(b) {rec}{I{a)[x'/ x], KyAz.I{b)[x'/ x],u))). 

We suppose x ^x(A) x' and we prove this by induction on u. First of all by inductive hypothesis on 
validity for a we have that 

2^(a) ~i(B[o/«]) X{a)[x'/x] 

which by definition is 

{rec}(I(a), Ay.Az.X( 6 ),0) ~i(b[o/«]) {rec}(X(a)[a;7a:], Ay.Az.X(5)[a;7a;],0). 

Using the inductive hypothesis on substitution for B with respect to a; G A[a; G A] and 0 G G A] 
we obtain that 

{rec}(X(a), Ay.Az.X( 6 ), 0 ) --i(b)[o/«] {rec}(X(a)77a:], A?/.Az.X(6)[a;7a;])- 
Suppose now that 

{rec}(X(a), A 2 /.A 2 ;.X( 6 ), u) ~i(b) {rec}(X(a)[a;7a;], A?/.A 2 .X( 6 )[a; 7 a;], m) 

By inductive hypothesis on validity for b we have that 

X( 6 ) [n/y, '[rec}(i^(c^) ? kyAz.X(b^^ li] jz\ ^X{B[succ{y)/u\)[u/y,{rec\{X{a),AyAz.X{b),u)/z\ 

X{b)[x'/x, u/y, {rec}(X(a)[a;7a;], Ay.Az.X(6)[a;7a^]j m)/z]. 

Using the inductive hypothesis on substitution for B with respect to 
X G A[a: G A,y G N,z G B[y/u]] and succ(y) G N[a: G A, y G N] and the inductive hypothesis on 
substitution for B with respect to a; G A[a; G A, y G N] and y G N[x G A,y G N] we obtain that 

^{b)[u/y,{^(^c}{X{a),AyAz.X{b),u)/z] ~i(b)[s«cc(«)/«] 

X(6)[a;7a;, u/y, {rec}(X(a)[a;7a;], Ay.Az.X(6)[a:7a^], u)/^] 

which is by definition 

{rec}(X(a), Ay.Az.X(5),M+ 1) ^x{b)[succ{u)/u] {rec}{X{a)[x'/x],AyAz.X{b)[x'/x],u+l). 

So we can conclude that 

\/x\/x'{x ~I(A) x' -A 
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^u{{Yec}{I{a),KyAz.X{h), u) '^x{b) {rec}{I{a)[x' /x], Ay.Az.I{b)[x' /x],u))). 
Now considering that by inductive hypothesis on validity we have that 

IDi h VxVa;'(x ~x(A) x' —>■ X{n) = T{n)[x'/x\) 

we obtain that 

VxVa;'(a; ~x(A) x' {vec}{T{a), Ay.Az.X{h),X{n)) ~x(iJ)[i(«)/«] 

{rec} {X{a)[x'/x], Ay.Az.X{h)[x'lx\,X{n)[x'/x ])) 

which is by definition 

\/xVx'{x ~X(A) x' X{ElN{n,a, {y,z)b)) ~x(B)[i(n)/«] X{ElN{n,a, {y, z)b))[x'/x]). 

Now using the inductive hypothesis on substitution for B with respect to x & A[x & A\ and n G 
N[x £ A] we have that 

\/xVx'{x ~x(A) x' -£■ X{ElN{n,a, {y,z)b)) ~x(B[n/«]) X{ElN{n,a, {y, z)b))[x'/x]) 
which means that TZ N Elxi{n,a, {y,z)b) £ i?[n/t6]. 


Substitution for natural numbers elimination 

We add to the hypotheses of the previous point, the hypothesis that d G At is provable in mTT® and 
valid in TZ. By inductive hypothesis on substitution we have in IDi that X{n)\X{a)/x] = X(n\fl/x\). 
We must prove by induction on u that 

V'u({rec}(X(a), Ay.Az.I(&), u)[X{a)/x\ -^x(B[a/x\) {Yec}{X{a[a/x\),Ay.Az.X{b[a/x\),u)). 

We prove this statement in a way similar to that of the previous point, using the inductive hypotheses 
on substitution. From this we derive that 


{Yec}{X{a),Ay.Az.X{b),X{n))[X{a)/x\ ^x(B[a/x])[i{n[a/x])/u] 


{rec}{I{a[a/x\),Ay.Az.X{b[a/x\),X{n[a/x\)). 

Using the inductive hypothesis on substitution applied to d G A[u £ A^] and u £ A^[m G A^] we obtain 
that 

{rec} (X((z), Ay.Az.X{b^^ X(7r)) [X(u)/x] ^x(b) \z{a)jx£L{n\ajx\)jv\ 
{rec}{X{a\a/x\),Ay.Az.X{b\a/x\),X{n\a/x\)). 

So we have in /Di, using the inductive hypothesis on substitution for B with respect to d G A and 
n[d/x] G N, that 


{Yec}{X{a),Ay.Az.X{b),X{n))[X{a)/x\ '^x(B[a/x,n[d/x]/v])/u] 
{vec}{X{a\a/x\),Ay.Az.X{b\a/x\),X{n\a/x\)). 

This is equivalent to say that 


X{ElN{n,a, {y,z)b))[X{a)/x] -^x(B[n/y][a/x])/u] X{ElN{n,a, {y,z)b)[a/x]). 
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Natural numbers conversion 

For conversion suppose that we derived El]\[{0,a, {y,z)b) = a € B]^/u][x G A\ in mTT® by conver¬ 
sion after having derived 

1. B set[x £ A,u £ N], 

2. a € i?[0/t6][a; € A], 

3. b G i?[succ(7/)/M][a; G A,y G N, z G B[y/u\\. 

By inductive hypothesis on validity we have that in IDi 

'^xixcJ^i^A^ ^ ^X(i?[0/y]) ^(^)) 

which by definition is 

^x{xeJ{A) -G I{EIn{ 0, a, {y, z)b)) ^x(B[o/y]) ^{a)). 

Suppose we derived ElN{succ{n),a,{y,z)b) G i3[succ(n)/'u][x G A] in mTT® by conversion after 
having derived the previous judgments and n G N[x G A], By inductive hypothesis on substitution 
applied to b with respect to x G A[x G A], n G N[x G A] and 
El^in, a, {y, z)h) G B[n/u][x G A] we have that in IDi 

Vx{xeJ{A) ^I{b)[I{n)/y,I{ElNin,a,{y,z)b))/z] ~x(B[sLcc(«)/y]) ^{b[n/y,ElNin,a,{y,z)b)/z])) 

which is exactly 

\lx{xej(A) -G I{ElN{succ{n), a, {y, z)b)) ~i(B[sLcc(«)/y]) I{b[n/y, ElN{n, a, {y, z)b)/z])) 

Dependent products 
Dependent product formation 

Suppose that TZ\= C set [x G A, y G B] and B set [x G A], then 

IDi h VxVx'Vl/Vj/'(x '^X{A) x' Ay ~x(B) u' -a VtVs(t ~X(C) s GA t ^X{C)[x'/x,y'/y] s)) 

IDi h \/x\/x'{x ~X(A) x' -G \/t\/s{t ~X(B) s GG t '^x(B)[x'/x] s)) 

From X ^x {A)x' we can also deduce in IDi that 
V 2 /Vy'(y ~x(b) y' -A {t}iy) ~x(C) {i}(2/')) ^ '^x{b)[x'/x] y' ^ {t}iy) '^x(C)[x'/x] {t}iy')) 

VyVy'iy ~x(b) v' ^ {s}(2/) ~x(C) {s}(2/')) ^ '^y'^y'ijj ^x(b)[x'/x] v' ^ {s}(2/) ^x{C)[x'/x\ {s}{y')) 
\/y{yeJ{B) -G {t}(i/) ~x(C) {s}(j/)) ^ '^y{y£j{B)[x'/x] -G {t}{y) ^x{C){x'ix\ {s}(j/)) 

which means that ID^ F VxVx'(x ^x{A) x' -G 'it'is{t ~x((ny6B)C) s GG t ~x((nyeB)C)[a:'/a:] s)) that is 
7^ N (By G B)Cset[x G B], 
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Substitution for dependent product formation 

In addition to the hypotheses that mTT^ I- B set [x S A] and mTT^ h C set [x G A, y G B], suppose 
that mTT® a € A and IDi h X{a)£j{A). Then by inductive hypothesis on substitution for B 
with respect to a and for C with respect to a € A[y G B[a/x\[ and y G B[a/x\[y G B[a/x\] we have 
that 

IDi h 'it'is{t ^I{B)[I(a)/x\ s -n-t ^X(B[a/x]) s) 

and 

IDi h Vy{y£j'{B[a/x]) —>■ VtVs(t ^x{C)[i(a) / x] s ^ t ^x{C[a/x]) s)- 
We can deduce in IDi that for every t and s 

t ~I(nyeB)C[I(a)/x] s 

is equivalent to 

'^y'^y'iy '^X{B)[X(a)/x] y' {t}iy) ~I(C)[I(a)/a;] 

VyV 2 /'(j/ ^x{B)[x(a)/x] y' {s}iy) ~i(c)[i(a)/x] {s}{y'))t\ 
yy{yeJ{B)[Iia)/x] {t}{y) ^x(C)[iia)/x] {s}( 2 /)) 

which is equivalent to 

'iy'iy'{y ^x(B[a/x]) y' {t}iy) ^x(c[a/x\) {0(2/'))A 

yyyy'iy ^x{B[a/x]) y' {s}(2/) ^x(C[a/x]) {s}{y'))A 
yyiyeJiBla/x]) {t}iy) ^x(C[a/x\) {s}(2/)) 
which is exactly t '^x((ny(iB)C)[a/x\ s. 

Dependent product introduction 

Suppose we obtained mTT'* h {\y)c G (Ily G B)C by introduction after having proved 

mTT® h c G C[x G A, y G -B], mTT'* h C set [x € A,y € B] and 

mTT® h B set [a; G A]. By inductive hypothesis on validity we have that 

VxVx'VyVy'O ~x(A) x' ^y ^x(b) y' 2:(c) ~x(C) '^{c)[x'/x,y'/y\) 

which is equivalent to 

Va;Vx'(a; -x(^) x' VyV7/'(j/ ^x(b) v' {^y-Ac)}{y) ^i{C) {^y-Ac)[x'/x\}{y'))) 
which is equivalent to 

Va;Vx'(a; ~x(^) x' VyVy'(j/ ^x(b) 2/' {2^((A2/)c)}(j/) ~x(C) {A{^y)c)[x'/x\}{y'))) 

From this it follows that 

1- X '^x{A) X implies that 'iy'iy'{y ~x(b) 2/' {^{{^y)c)}{y) ~x(C) {^{^y-c)}{y')), which means 

that X{{\y)c)£X{{J\y G B)C)] 
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2. x' ~x(A) x' implies that 

VyVy'iy ^x{b) v' ^ {I{{Xy)c)[x'/x]}{y) ^x{C){x'lx\ {T{{\y)c[x'/x\}{y')), 
which means that X{{\y)c)[x'/x\el{{)ly G B)C); 

3. using the fact that y£j(B) entails y ~i(_b) y we have that 

VxVa;'(a; '^x(A) x' -A\ly{y£j{B) {X{{\y)c)}{y) r^x{C) {A{>^y)c)[x'/x\}{y)). 

This gives us that TZ N {\y)c G (Ily G B)C[x G A\. 

Substitution for dependent product introduction 

For substitution in addition to the hypotheses of the previous point, suppose that 

1. mTT® \- a G A and 

2. IDi hX{a)£j{A). 

From this by inductive hypothesis on substitution with respect to a € A[y G B[a/x\\ and 
y G B[a/x\ [y G B[a/x\[ we obtain that 

'iy{y£j{B\a/x\) -a X{c)\X{a)/x] '^x(C{a/x\) B{c\a/x\)) 

which entails that 

'iy{y£j{B[a/x\) -a {X{\y.c)[X{a)/x\}{y) '^x(C[a/x])) {X{{\y)c[a/x\)}{y)) 

Moreover by the inductive hypothesis on validity for c and the validity hypothesis for aeA, we obtain 
that 

VyVy'(y '^x(B)[i{a)/x\ v' {B{\y.c)[X{a)/x\}{y) ^x(C)[i{a)/x\ {A^y-c)[B{a)/x\}{y')) 

and using the substitution hypothesis for B and C we obtain that 

tfy'iy'iy '^x(B[a/x]) y' {X{\y.c)[X{a)/x\}{y) ^x(C[a/x]) {X{\y.c)[X{a)/x\}{y')). 

By using the inductive hypothesis on substitution for c, for C, the validity hypothesis on c G C[x G 
A,y G B] and the previous one we obtain also that 

VyVy'(y ^xiBla/x]) v' -t {X{\y.c[a/x])}{y) ^x(C[a/x]) {2^(Ay.c[a/a;])}(y'))- 
This entails that 

IDi G X{{\y)c)[X{a) / x] ^x{(iiv^B)C[a/x])'I.{{Xy)c[a/x]). 

Dependent product elimination 

Suppose we derived in mTT^, the judgment Ap{f,b) G C[b/y][x G A] by elimination after having 
derived in mTT® the judgments b G B[x G A] and / G (Fly G B)C[x G A], By inductive hypothesis 
on validity we have that in /Z?i 

yxW{x ^X(A) x' -A X{b) ~I(B) X{b)[x'/x]) 
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\/x\fx'(x ~I(^) x' 

Vj/Vj/'(y ~i(B) y' {I{f)}{y) r^x{C) {2^(/)}(j/'))A 
'iy'iy'{y ^x(b) y' {I{f)[x /x\}{y) ~x(C) {ADWlx\}{y'))h 
^y{ysJ{B) ^ {I(/)}(j/) ^I(C) {I(/)[x7x]}(y))). 

From these we can easily deduce that in IDi 

VxVx'(x -i(^) x' {I{f )}{X{h)) r^x(B) {I{f)[x'/x\]{I{b)[x'/x])). 

This is exactly 

VxVx'(x ^x{A) x' 2:(Ap(/, b)) ^x(C)[i{b)/y] 2^(Ap(/, b))[x'/x\). 

Now, applying the inductive hypothesis on substitution for C with respect to b € B[x & A\ and 
X & A[x & A\, we obtain that 

\lx\/x'{x '^x{A) x' -A- 2:(Ap(/, b)) ~i(c[&/y]) ^(Ap(/, b))[x'/x\). 

So in particular we have that 

7^ N Ap(/, b) e C[b/y][x e A]. 

Substitution for dependent product elimination 

In addition to the hypotheses of the previous point, we add the hypotheses that 

mTT \- a € A and IDi h 2{a)eJ{A). By inductive hypothesis on substitution we have in IDi that 

I{b)[I{a)/x] ~i(B[a/a:]) 2:(&[a/a;]) 

yyyy'iy ^x(B[a/x]) y' {I{f)[I{a)/x]}{y) -i(c[a/^]) {Xif)[Xia)/x]}{y'))^ 

VyVy'iy ^x(B[a/x]) v' {I{f[a/x\)}{y) ~i(c[a/^]) {T{f[a/x\)}{y'))^ 
\/y{yeJ{B[alx\) -A {X{J)[X{a)/x\}{y) ^x(C[a/x]) {X{f[a/x\)}{y))). 

From this we can deduce in IDi that 

{X{f)[X{a)/x\}{X{b)[X{a)lx]) '^x{C[a/x]) {X{f[a/x\)}{X{b[alx\)) 

which is 

2^(Ap(/7))[21(a)/a;] ~i(c[a/a=]) 2:(Ap(/, 6)[a/a:]) 

Dependent product conversion 

Suppose we derived in mTT® the judgment Ap(A?/.c, &) = c\b/y\[x £ A] by conversion after having 
derived mTT® h c G C[x £ A, y £ B] and mTT® \- b £ B[x £ A], By inductive hypothesis on 
validity we can suppose that these two judgments are validated by TZ and we can use the inductive 
hypothesis on substitution applied to c with respect to x £ A[x £ A\ and b £ B[x G A], obtaining 
that in IDi 

\/x{xeJ{A) -AX{c)[X{b)/y] -i(c[&/y]) Ac[b/y])) 

which is exactly 

Vx{x£j{A) ^ X{Ap{Xy.c,b)) '^x{C[b/y]) X{c[b/y])). 

So we have that TZ N Ap(Ay.c, b) = cip/y][x £ Al\. 
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Dependent sum sets 
Dependent sum formation 

Suppose that TZ^ C set [x € A, y G B] and TZ B set[x G A], then 

IDi h VxVa;'Vj/Vj/'(a; -^x{A) x' Ay ^x(b) v' -a ~i(c) s t ^x{C)[x'/x,y'/y] s)) 

IDi h \lx'ix'{x ~I(A) x' -A ~I(B) s -vA t '^x{B)[x'/x] s)) 

From X '^x{A) x', we can also deduce in IDi that 

Piit) ^x[B) Pi{s) A yy{y ~x(iJ) Pi{t) -A P 2 {t) '^x(C) P 2 {s)) GA 

Pl{t) ^X(B)[x'/x] Pl{s) A^yiy '^X{B)lx'/x] Plit) -A P2{t) ^X(C)[x'/x] P 2 {s)) 

which means that 

IDi h Va;Vx'(a; ^x(A) x' -A WtWs(t ^x{CSyeB)C) s t '^x((^yGB)C)[x'/x] s)) 
that is 7^ N (Ey G B)C set [x G A\. 


Substitution for dependent sum formation 


In addition the hypotheses that mTT® h B set [x G A\ and mTT® G C set[x G A,y G B\, suppose 
that mTT'* G a G A and IDi G I{a)£j{A). Then by inductive hypothesis on substitution for B 
with respect to a and for C with respect to a € A[y G B[a/x\[ and y G B[a/x\[y G B[a/x\[ we have 

that _ 

IDi h VtVs(t ~I(B)[I(o)/a:] S •(->■ t ~I(_B[o/a:]) s) 


and 

IDi G 'iy{y£j{B[a/x\) -A VtVs{t ^X{C)[X{a)/x] s <A- t ^x{C[a/x]) s)- 
From these we can immediately deduce that 

TDi GI{{j:y G B)C)[I{a)/x] =I((Ey G B)C[a/x]), 
as ^x{Y.y£B)c only depends on X(B) and X(C). 


Dependent sum introduction 

Suppose we derived in mTT'*, (6, c) G (Ej/ G B)C[x G A\ by introduction after having derived in 
mTT®, b G B[x G A], c G C\b/y][x G A] and C col[x G A,y G B], Suppose x ~x(A) x'. By inductive 
hypothesis on validity applied to 6 G B[x G A], we obtain in IDi that X(b) ~x(b) X{h)[x' /x\ (and so 
also X{h)£j{B) and X{h)[x'/x\ G J{B)). By inductive hypothesis on the validity of 
C col[x G A, y G B],ii we have that y ~x(b) we obtain that X{C) = X{C)\X{b)/y\. By inductive 
hypothesis on substitution applied io Ccol[x G A, y G B\, b G B[x G A] and x G A[x G A], we have 
that I(C')[I(&)/y] = X{C\b/y\). Now by inductive hypothesis on validity on c G C\b/y\[x G A] 
we have 1(c) ~x(C[b/y]) X{c)[x'/x\. From this and the previous remarks we derive that X(c) ~x(C) 
X{c)[x'/x\ (and so moreover I(c)eJ'(C') and I(c)[a;'/a;]eJ'(C')). 

Moreover, by what we said before, y ~x(b) 21(6) is equivalent to y ~x(b) X(h)[x' /x\. 

This means that 

IDiG \/xVx'{x ~x(A) x' -A 

21(6) ~x(B) 21(6)[x7a;] A Vy{y -x(b) 21(6) -5- X{c) -x(C) Ac)[x'/x])). 

This exactly means that TZ N (6, c) G (Ej/ G B)C[x G A], 
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Substitution for dependent sum introduction 

For substitution, under the same hypothesis, suppose that 

1. mTT® \- a G A and 

2. FDi ^I{a)eJ{A). 

By the rules of mTT'*, we know also that mTT'* h C[b/y] col \x € A] and 

mTT® h B col \x & A\. By inductive hypothesis on substitution of a in b, we have that 

I{b)[I{a)/x] ^x(B[a/x]) I{b[a/x]). 

By inductive hypothesis on substitutions of a in C[b/y], of b[x G A] and x € A[x G A] in C, of 
a G A[y G B[a/x]] and y G B[a/x][y G B[a/x]] in C we obtain that 

{*)X{C[b/y][a/x])=X{C[b/y])[T{a)lx]=X{C)[X{b)/y][T{a)/^ = 

X{C)[X{a)lx][X{b)[X{a)/x]ly\ = X{C[a/x\)[X{b)[X{a)/x\/y\. 

Suppose that y ‘^i(B[a/x]) X{b)\X{a)/x\. By inductive hypothesis on substitution for c, 

X{c)[X{a)lx\ -^I(c[b/y][a/x]) 2:(c[a/a;]). 

By the inductive hypothesis on substitution 

X{B)[X{a)lx] =X{B[alx\) 

(and so y ~i(B)[i(a)/a;] 2i(fe)[2i(a)/a;]), and using the inductive hypothesis on validity for C set we 
obtain that X{C)^{a)/x,X{b)\X{a)/x\/y] = X{C)^{a)/x\ and so using {*) we derive that 

X{c)[X{a)/x] ^x{C)[a/x]) 2:(c[a/a;]) 

after having noticed that X{C[a/x\) = X{C)\X{a)/x\ by using the inductive hypothesis on substitu¬ 
tion for C with respect to a G A[y G B[a/x\\ and y G B[a/x][y G B[a/x]]. So we obtained what we 
needed. 

Dependent sum elimination 

Suppose we deduced El^{d, {y, z)e) G E[d/u][x G A] in mTT®, after having derived 

1. E set[x G A,u G {Ey G B)C], 

2. dG (Ey G B)C[x G A], 

3. e G E[{y, z)][x G A,y G B, z G C] and so also 

4. B set [x G A], 

5. C set [x G A,y G B\ by the structure of the rules of mTT®. 
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By inductive hypothesis on validity we can suppose that all these judgments are valid in TZ. In 
particular we have that TZ\= d € (Sj/ € B)C[x € A], This in particular implies that in IDi 

(*) Va;Vx'(a; x ' 

(pi(X(d)) ~x(B) piilid)[x'/x]) Ap2(Iid)) ~i(c)[pi(i(d))/y] P2md)[x'/x]))). 
Moreover we have that TZ \= e G E[{y,z)][x G A, y G B, z G C]. This in particular implies that in 
ID, 

(**) 'ix'ix'^y\/y'\/z'iz'{x '^i(a) x' Ay ~i(b) v' A z '^i(c) z' 

D{e) --i(Ei{y,z)/u]) D{e)[x'/x,y'/y,z'/z]). 

Putting together {*) and (**) we obtain that 

\/x\/x'(x '^X{A) x' -A 


'D{c)\pi {D{d)) / y, P 2 {I-{d)) / z\ '^X(E[{y ,z) / i‘\)[pi{I{d)) / y ,p2{I{d)) / z] 

1(e) [x'/x, Pi (I{d) [x'/x])/y,p2 {I{d) [x' / x\)/z\) 

and this exactly means that 

(>l= > 1 = :(=) \/x\/x'(x ‘^X(A) x' -A 

X(yElY,{d, {y, z)e)) ~x(_E[(y,z)/«])[pi(i(d))/i/,p 2 (i(d))/z] X[ElY,{d, (j/, z)e))[x /a;]). 
Now it is immediate to see that 


mTT« h {y, z) G (Sy € B)C[x GA,yGB,zGC] 
mTT® G X G A[x G A,y G B,z GC] 

and these judgments are validated by TZ, as C set [x G A,y G B] is valid in TZ. In particular, by the 
inductive hypothesis on substitution applied to E we have that 

VxVyVz(x G J{A) Ay G J{B) A z G J{C) -A I{E)[{y,z)/u] = X{E[{y, z) / u])). 

Using (*) we immediately obtain, from the previous, that 

'ix{xGj{A) ^X{E)[X{d)/u] =X{E[{y,z)/u])[pi{X{d))/y,p 2 {X{d))/z]). 

Moreover as we have that 

mTT« GdGiEyG B)C[x G A] 
mTT® \- X G A[x G A] 

and both these judgments are valid in TZ (the first by inductive hypothesis), we also have that 

yx{x G J{A) -G X{E)[X{d)/u] = X{E\d/u])) 
which combined with what we proved before gives us that 

Vx(a; € J{A) -AX{E[d/u]) =X{E[{y,z)/u])[pi{X{d))/y,p 2 {X{d))/z\). 

Recalling (* * *) we can conclude that in ID, 

yxVx'ix '^x(A) x' -A X{El^{d, {y, z)e)) -^x{E[d/u\) X{El^{d, {y, z)e))[x'/x]) 
which exactly means that 

TZ N Elsid, {y, z)e) G E[d/u\[x G A], 
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Substitution for dependent sum elimination 


Under the same hypothesis as in the previous point suppose we have mTT^ \- a € A and 

IDi h 1(a) G J{A). First of all by inductive hypothesis on substitution applied to d we can derive 

that in mTT® 

{i)pi{I{d)[I{a)/x]) -^x(B[a/x]) Pi{I{d[a/x]))A 

P 2 {I{d)[I(a) / x]) ‘^I(C[a/x\)[pi{I{d)[X{a)/x\)/y] P 2 i^{d\(l / x\')'). 

Using inductive hypothesis on substitution for B and C this is equivalent to 

Pi{T{d)\I{a)/x\) -^x(B)[x(a)/x] Pi{X{d[a/x\))A 
P2{I{d) [I(a)/x]) ‘^X(C)lX{a) / X ,pi(x{d)lx{a) / x])/y] P2{d^{d[a,/x])). 

Using (**) from the previous section we obtain that 

(ii) ^ 1 Pl{^{d)[d^i<l) / x]) / y , P 2 {d^{d)[I{a) / x]) / z] ^X(E[{y ,z)])[X(a) / x ,pi(X(d)[X(a) / x]) / y ,p 2 (X(d)[X(a) / x]) / z] 

1(e) [X(a)/x, Pi {I{d[a/x\))/y, p2 {I{d[a/x])) / z]. 

Now we can easily see that the following judgments are derivable in mTT^ and valid in TZ: 

a G A[y G B[a/x\, z G (^[a/a;]] 

y G B[a/x\[y G B[a/x\,z G C[a/a:]] 
z G C[a/x\[y G B[a/x],z G C[a/x\\, 
so by inductive hypothesis on substitution applied to e we have that 

'iy'iz(y£j{B[a/x\) A z£j(C[alx\) -A I{e)[X(a)lx] ^x(E[{y,z)/u][a/x]) 2i(e[a/a;])). 

By using (i) we obtain that in IDi 

{Hi) I{e) \T{a)/x\ \pi {X{d\a/x\))/y,p 2 /x\))/z\ '^x{E[(ti,z)/u][a/x])[pi(x{d[a/x]))/y,p 2 {i{d,[°-/A))/A 

X{e[a/x\))[pi{X{d[a/x\))/y,p 2 {X{d[a/x\))/z\. 

Combining (ii) and (iii) and using the inductive hypothesis on substitution applied to U in a 
way similar to that of the previous subsection we obtain that 

X{e)[X{a)/x,pi{X{d)[X{a)/x])/y,p 2 iX{d)[X{a)/x])/z] ^xiEld/u][a/x]) 
X{e[a/x]))[pi{X{d[a/x]))/y,p 2 {X{d[a/x]))/z] 

which is exactly 

X{El^{d, {y, z)e))[X(a)/a;] -^x(E[d/u\[a/x]) X{ElY.{d, {y, z)e)[a/a;]). 
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Dependent sum conversion 

Suppose we derived in mTT® the judgment El^{{b,c),{y,z)e) = e\b/y,c/z\[x € A] by conversion 
after having derived 

1. b€ B[x e A], 

2. c € C[b/y][x e A], 

3. E set [a; € A, u € (Sj/ € B)C] and 

4. e e E[{y,z)/u][x e A,y € B,z e C], 

By inductive hypothesis on validity we have that TZ \= b G B[x G A] and TZ \= c G C[b/y][x G A], 
Moreover the judgment x G A\x G A\ is provable in mTT® and valid in TZ. So we can apply the 
inductive hypothesis on substitution to e obtaining that in IDi 

'ix{x G J{A) -GX{e)[T{h)/y,I{c)/z\ '^i(E[(b,c)/u]) Ae.[h/y,c/z])) 

and this is exactly 

'ix{x G J{A) -G I{Els{{b, c)), {y, z)e) ^i(E[{b,c)/u] Ae[b/y, c/z])). 

The binary sum set 
Binary sum formation 

Suppose that TZ\= B set [x G A] and TZ\= C set [x G A\, then 

lE-y b VxVx (x ^X{A) ^ t ^ t ^x{B')[xyx\ 

IDi f- \lxix'{x ~I(A) x' -G ytys{t '^X{C) s GGt '■^x{C)[x'/x] s)). 

From X {A)x' we can also deduce in IDi that 

Plit) =Plis) A iipi{t) =0Ap2{t) r^x(B) P 2 {s)) V (pi(t) = 1 Ap 2 (f) ~I(C) ^ 2 ( 5 ))) tA 

Pl{t) =Pl{s) A {{pi{t) = 0Ap2it) -^X(B)[x'/x] 4*2 (s)) V {pi{t) = 1 A P 2 {t) -^X(C)[x'lx\ 4*2 (s))) 

which means that ID\ h VxVa;'(x ^x{A) x' -A \/t\/s(t '^x{b+c) s GA t ^x(baC){x' lx\ s)) that is 
7?. N + C set [x G Al\. 

Substitution for binary sum formation 

Suppose that in mTT® we derived B -\-C set[x G A\ by formation after having derived B set [x G A] 
and C set[x G A], and suppose that mTT® G a G A and IDi h X{a)eJ{A). Then by inductive 
hypothesis on substitution for B and C with respect to a we obtain that in IDi 

VtVs(t ^X(B)[X(a)/x] S GA t '^x(B[a/x]) s))) 

VtVs(t ~I(C)[I(o)/a:] S GA t ~I(C[o/a:]) s))) 

and from these it follows that 

X{B + C)[X{a)lx] = X{B + C[a/x\) 
as ^x(Y.y^B)c only depends on X(B) and X(C). 
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Binary sum introduction 

Suppose inl(6) e B-\-C[x G A\ is derived by introduction after having derived in mTT® the judgment 
h £ B[x £ A\. Then we can suppose by inductive hypothesis on validity that 

IDi h 'ix\/x'{x ~i(^) x I{b) /x\) 

from which it comes that 

IDi \-\/xWx'ix ^i(A) x' ^ pi{{0,I{b))) = pi{{0,I{b)[x'/x]))A 

pi((0,!(&))) = 0 Ap2((0,X(&))) ~x(B) P2{{0,Bib)[x'/x]))) 
which entails that TZ N inl(6) € B + C[x G d]. A similar reasoning holds for inr(c). 

Substitution for binary sum introduction 

For substitution, the substitutions for inl(6) or inr(c) directly come from the inductive hypothesis on 
substitution for b and c respectively. 

Binary sum elimination 

Suppose we derived El+{d, {y)b, {y)c) G C[d/z\[x G A] in mTT® by elimination after having derived 

1. dG B + C[x G A], 

2. C set [x G A, z G B + C], 

3. b G C[\n\{y) / z\[x G A,y G B] and 

4. a; G C[\nr{y)/ z][x G A,y G C]. 

By inductive hypothesis on validity, in IDi, if we assume x ~x(A) x' we have that 
{pi(I{d)) = pi{I{d)[x'/x]) = 0Ap2iI{d)) ~i(B) p 2 md)[x'/x]))V 

{pi{I{d)) = pi{I{d)[x'/x\) = lAp 2 {I{d)) -x(c) P 2 {B{d)[x'/x]))] 

MyMy'iy ~x(b) y' ^X{b) ~x(C[mi(y)/z]) X{b)[x'/x,y'/y])] 

MyMy'iy ~x(b) y' ^ I{c) ~x(C[mr(y)/z]) Iic){x'/x,y'/y]). 

Using these three conditions we immediately obtain that 

{pi{I{d)) = pi{I{d)[x' / x]) = OA 

I{b)[p 2 {X{d)) / y\ -^X(C[ml(y)/z])[p 2 (X(d))/y] 21(6) [x'/x, P 2 (X(d) [x'/x])/?/]) V 
{pi{X{d)) = pi{X{d)[x' / x]) = lA 

X{c)[p 2 iX{d))/y] ~X(C'[inr(y)/z])[p2(X(<i))/y] 21(c) [x'/x, P 2 [x'/x])/?/]). 

Using the inductive hypothesis on substitution for C with respect to 

X G A[x G A, y G A], inl(y) G B C\x G A, y G B^ 
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and with respect to 

, inl(y) G 13 -\- C^x ^ y € -^] 

we obtain that 

{pi{I{d)) = pi{I{d)[x'/ x]) = OA 

I{b)[p2md))/y] ~i(c)[i(d)/u] Ab)[x'/x,p2md)[x'/x])/y])V 

{pi{X{d)) = pi{I{d)[x' / x\) = lA 

X{c)[p 2 (X{d))/y] ^i(c)[i(d)/u\ X{c)[x'/x,p 2 {X{d)[x'/x\)/y]). 

Using the inductive hypothesis on substitution for C with respect to a; G A[x G A] and 
d G i? + C[a; G we obtain that 

{pi{X{d)) = pi{X{d)[x' / x]) = OA 

X{b)[p 2 {X{d))/y\ ~i(c[d/«]) X{h)[x'/x,p 2 {X{d)[x'/x\)/y\)y 
{pi{X{d)) = pi{X{d)[x' / x\) = lA 
X{c)[p 2 {X{d))/y\ ~i(c[d/«]) /x,p 2 {X{d)[x'/x])ly]). 

By definition this is equivalent to 

X{El+{d, {y)b, iy)c)) ~i(c[d/«]) X{El+{d, {y)h, {y)c))[x'/x\. 

This is what we needed. 

Substitution for binary sum elimination 

Suppose we derived El+{d, {y)b, {y)c) G C[d/z\[x G Al\ in mTT® by elimination after having derived 

1. d€ B + C[x G A], 

2. C set[x G A, z € B + C], 

3. 6 G C[\n\{y)/z\[x G A,y G B] and 

4. a; G C'[inr(y)/ 2 ][a; G A,y G C]. 

Suppose moreover that mTT^ h a G A and IDi h X{a)eJ'{A). Recall that by the structure of 
rules in mTT® we have already derived B set [a; G A] and C set [x G Al\. By inductive hypothesis on 
substitution we have that in I Dp. 

{pi{X{d)[X{a)/x\) =pi{X{d[a/x\)) = ^ p 2 {X{d)[X{a)/x\) -^i(b) P 2 {X{d[a/x\)))y 

{pi{X{d)[X{a)/x\) =pi{X{d[a/x\)) = I ^ p 2 {X{d)[X{a)/x\) ^k^c) P 2 {X{d[a/x\)))] 
X{b')\X{a)/x\ ^i(c[\n\{y)/z][a/x]) '^ib\a/x\)', 

X{c)[X{a)lx\ ~i(c[inr(y)/z][a/a=]) 2:(c[a/a;]). 

Using the inductive hypothesis on validity for b and c, the inductive hypothesis on substitution for 
B and C with respect a, and the previous relations we obtain that 

{pi{X{d)[X{a) / x]) = pi{X{d[a/x])) = OA 
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I{h)[T{a)/x\[p 2 {T{d)[T{a)/x\)/y\ ^i(c[m\(y)/z][i(a)/x,p^(i(d[a/x])/y]) Ab)[I{a)/x\[p 2 {I{d[a/x\))/y\A 
X{h)[X{a)/x\[p 2 {X{d[a/x\))/y\ ^x{C[m\{y)/u][a/u])[i(d[a/x\)/y] X{h[a/x\)[p 2 {X{d[a/x]))/y\)\J 
{pi{X{d)[X{a) / x\) = pi{X{d[a/x])) = lA 

X[c)\X[a)/x\[p 2 id'id)[X(a)/x])/y] ^x{C[mr{y)/z\[x{a)/x,p 2 {i{d[a/x\)/y]) 2^(c) \X{a)/x\\p 2 ^{d\(i/xY))/y\/\ 

X{c)[X{a)/x\[p 2 {X{d[alx\))ly\ ~i(c[mr(y)/«][a/«])[i(d[a/x])/y] Ac[a/A)[P 2 {Ad[a/x\))/y\). 

Applying many times the inductive hypothesis on substitution for C with respect to different 
terms, we obtain that 

{pi{X{d)[X{a) / x\) = pi{X{d[a/x\)) = OA 
X{b)[X{a)/x\[p 2 {X{d)[X{a)/x\)/y\ '^x(C[d/u][a/x] X{b[a/x\)[p 2 {X{d[a/x\))/y])y 
{pi{X{d)[X{a) / x\) = pi{X{d[a/x])) = lA 
X{c)[X{a)/x\[p 2 {X{d)[X{a)/x\)/y] '^x(C[d/u][a/u\)'d{c[a/x\)[p 2 {X{d[a/x]))/y]). 

Using the definition of the interpretation of El+{d, {y)b, {y)c) we can conclude. 


Binary sum conversion 

Suppose we derived El+{\n\{e), {y)b, {y)c) = b[e/y] G C'[inl(e)/ 2 ;][a; G A] in mTT® by conversion 
after having derived e G B[x G A], C set[x G A, z G B + C], b G C[\n\{y) / z][x G A,y G B] and 
X G C[\m{y)/z\[x G A,y G C]. Suppose a; G J{A), thenin/Di we have that by inductive hypothesis 
on substitution for b with respect to a; G A [a; G A] and e G i?[a; G A] 


X{b)[X{e)/y] ~i(B)[ini(e)/«] d{b[e/y]) 


which is exactly 


I(A4(inl(e), {y)b, (y)c)) --i(B)[ini(e)/«] d{b[e/y]) 
which is what we needed. The other case is symmetric. 


List sets 

This case is similar to that of natural numbers but little more complicated. You must use induction 
with respect to the length of lists. 


Falsum propositions 

Completely analogous to the case of empty set. 


Conjunction propositions 

Analogous to dependent sums. 

Disjunction propositions 

Analogous to binary sums. 


Implication propositions 

Analogous to dependent products. 
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Universal quantification propositions 

Analogous to dependent products. 

Existential quantification propositions 

Analogous to dependent sums. 

Identity propositions 
Identity formation 

Suppose that TZ^ B set [x € A], TZ b G B[x G A] and 7Z h c € B[x G A], then 

IDi h 'ix'ix'{x ~x(A) x' ~i(B) sot '^x{B)[x'/x] s)); 

IDi h 'ix'ix{x ^I(A) X O I{b) ~I(B) I{b)[x /x]); 

IDi h \/xVx'{x ~I(A) x' O 1(c) ~I(B) I{c)[x'/x]). 

Using the previous conditions, we can deduce in IDi from x ~i(a) x' that 

(t ~I(B) 1-{b) Al{b) ~I(B) I{c)) o {t -^x{B)lx'/x] I{b)[x'/x] Al{b)[x'/x] ^xiB)lx'/x] I{c)[x'/x]) 

which means that IDi h \/x'ix'{x ^x(A) x' o '^t{teX{\d{B,b,c)) O tel(ld(i?, 6, c))[a;'/a^])) that is 
TZ \= Id(i3,5, c)[x G A], 


Substitution for Formation 

In addition to the hypotheses in the previous point add that mTT^ h a G A and 
IDi h I{a)eZT{A). By inductive hypothesis on substitution we have that in IDi 

VtVs(t ~I(B)[I(a)/a:] S O < ^X(B[a/x]) s)', 

I{h)[I{a)/x\ '-i(B[a/a;]) '^{b[a/x\)-, 

X{c)[X{a)/x\ ~i(B[a/a;]) 2i(c[a/a;]). 

From these we obtain that for every t, in IDi, 

teJ{\d{B, b, c))[X(a)/a:] 

is equivalent to 

t ~i(B)[i(a)/a;] 1-{b)[X{a)/ x] A X{b)[X{a) /x] ^x(B)[x(a)/x\ 1-{c)[X{a)/ x] 
and this is equivalent to 

t ~i(B[a/x] 2:(6)[X(a)/x] AX(6)[X(a)/a;] '^x(B[a/x]) I(c)[X(a)/a;] 


and this is equivalent to 


which is 


t '^x(B[a/x] X(5[a/a:]) AX(6[a/a;]) ~i(B[a/a;]) X(c[a/a:]) 


t£j{\A{B, b, c)[a/x]). 
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Identity introduction 

Suppose we derive id(6) S ld(i?, b, h)\x G A\ by introduction in mTT® after having derived 
b B[x & A\. By inductive hypothesis on validity we have that in IDi 

Mx^x'ix ^x(A) x' -A- X{b) ~x(ij) 21(6) [x'/a;]). 

This implies that in IDi we have 

MxMx'ix r^x(A) x' -A- I{b) ^X(B) T{b) M{b)[x'/x] ^x(b) Ab)) 

which means that in IDi 

yxW{x ^X{A) x' ^I{\d{b))eI{\d{B,b,b)) Al{\d{b))[x'/x]eI{\d{B,b,b))) 
which means that TZ N id(5) G Id(i3, b, b)[x G A], 

Substitution for identity introduction 

In addition to the hypothesis in the previous point suppose that mTT® h a G d. and 
IDi h I{a)£j{A). By inductive hypothesis on substitution we have that 

IDi \-I{b)[I{a)/x] ^x(B[a/x]) Xib[a/x]). 

This implies in particular that 

X(\d{h))\L{a)/x\£j{\d{B, b, b)[a/x]) AX(\d{b)[a/x\)£j{\d{B, b, h)\a/x\) 
which is what we needed. 

Identity elimination 

Suppose we derived in mTT® the judgment Elid{p, iy)x)) G 6[b/y,c/z][x G A] by elimination after 
having derived in mTT'* the judgments 

1. & G B[x G A], 

2. c G B[x G A], 

3. p € ld(i?, b, c)[x G A\, 

4. 5props[x € A,y ^ B,z € B], 

5. 5\b/y^ c/ z\props{x G A] and 

6. r G 5[y/z\[x G A, j/ G B] (and so also 5[y/z\ set [x & A,y & B] by the structure of the rules of 

mTT®). 

By inductive hypothesis on validity for p, a and b we have that in IDi 

(*) Va:Vx'(a; ~x(A) x' -A X{p) r^xiB) I{b) AX{p)[x'/x] -^xiB) I{p) AX{b) ^x(b) X{c)A 

I{b) ~z(B) X{b)[x'/x] A 1(c) ~x(B) 2i(c)[a;7a:]). 
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By inductive hypothesis on validity for 5[y/z\ and what we just showed we have that in IDi 


{**)yx{xeJ{A) ^I{S[y/z])[I{p)/y] ^ I{S[y/z])[I{b)/y]). 

By using the inductive hypothesis on substitution for 6 with respect to a; € A[x € A,y £ B] and two 
copies oi y & B[x & A,y & B] we obtain that in IDi 

* *)\/x\/y{xeJ{A) AyeJ{B) -^I{S)[y/z] =I{6[y/z])). 

Putting {*), (**) and (* * *) together we obtain that in IDi 

\lx{x£j{A) ^X{5[y/z\)[I{p)/y] X{5)[X{h)/y,X{h)/z\). 

Using the inductive hypothesis on validity for 5 and (*) we obtain that in IDi 

^x{x£j{A) ^X{5[y/z\)[X{p)/y] X{5)[X{h)/y,X{c)/z]). 

Using the inductive hypothesis on substitution for 5 with respect io x & A[x & A\, 
b G B[x G A\ and c G B[x G A\ we obtain that in IDi 

{*-^*:>^)\lx{x£j{A) -^X{5[y/z\)^{p)/y\ ^ X{5[b/y,c/z])). 

Using the inductive hypothesis on validity for p and r we obtain that in IDi 

^ ^ X)'ix'ix{x ~i(^) x' -AX{r)[X{p)/y]£j{6\y/z\)[X{p)/y]A 
X{r)[x’/x][X{p)[x'lx]/y]£j{5[y/z])[X{p)/y]). 

From (* * **) and (*****) we obtain that in IDi 

VxVx'ix r^x(A) x' -^X{r)[X{p)/y]£j{5[b/y,c/z]) AX{r)[x'/x\[X(p)[x'/x]/y\£j{5[b/y,c/z])) 
which means that in IDi 

Va:Vx'(a; ~i(a) x' -a X{Elid{p, {y)r))£j{S[b/y,c/z]) AX{Elidip, {y)r)[x'/x])£j{S[b/y,c/z])) 
which exactly means that TZ N El[d{p, {y)r) G 5\b/y,c/z\[x G A\. 

Substitution for identity elimination 

In addition to the hypotheses of the previous point assume that mTT'* h a G A and 
IDi h X{a)£j{A). The proof is similar to that of the previous point. 

Collections of codes for small propositions and sets 

We start by considering validity and the rules of the collection Set. 


Universe of sets 
Universe of sets formation 

The formation is trivially verified. 
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Universe of sets introduction 

The validity of the judgments Nq € Set, S Set and N € Set follows directly from the coding. It 
is an immediate exercise in classical logic to show that it TZ \= p € Set and TZ q € Set, then also 
TZ N p+q € Set and it TZ p € Set, then TZ N List{p) € Set. It is also immediate, by definition, 
to show that it TZ p € prop,,, then TZ p £ Set. In the case of (Ea; S A)p and (Ila; € A)p we 
must use the inductive hypothesis on coding and on validity to show (in a way analogous to that 
of the proof of coding which will follow) that if mTT® h Aset and mTT® h p G Set[a: € A], then 
IDi h Fani(Aa;.I(p),I(^)) and then to show TZ N (Ex G A)p G Set and TZ N (Ila: G A)p G Set. The 
proof of substitution consists of an easy verification. 

Universe of small propositions 

The case of prop^ is completely analogous and elimination and conversions follow from the proof- 
irrelevance. Proofs of the statements for propositions are analogous to those for small propositions. 

Other collections 

Proofs of the statements for E-collections are analogous to those for E-sets. Proofs of the statements 
for —^ props-collections are analogous to those for Il-sets. Substitutions can be proven by using the 
inductive hypotheses. 

General rules 
Assumption of variable 

We must show that TZ\= Xj G Aj[xi G Ai, ...,x„ G An] for 1 < j < n. This is obviously true as 
IDi h 'ixi\lx'^..Mxn'^x'^{xi ~z(Ai) a;'i A ... A Xn x'„ Xj a;')■ 

For substitution if mTT® h oi G Ai,...,mTT® h On G An[ai/xi,..., a„_i/a;„_i] and these judgments 
are validated by TZ, then in particular 

'^I(Aj[ai/xi,...,aj-i/xj-i]) 

which is exactly 

) [-^(^1)/a^l, • ■ •, T(Un ) /a^n] ^X{Aj [ai/a:i,...,a„-_i/a:j_i]) ^(.^j [^l/a^li ••••> /a^n]) ■ 

Reflexivity, symmetry and transitivity of type equality 

Suppose that from mTT® h B type [x G A] we derive by reflexivity that 
mTT® \- B = B type [x G A]. By inductive hypothesis on validity we have that 

IDi h yx\/x'{x ^X{A) x' -A \/tys(t ~I(B) s -vA t '^x{B)[x'/x] s))- 

Now x£j{A) implies in IDi that x '^x{A) x. So 

ID\ b \fx{xsZJ(,ATj —y \fiAfs{t ^x{b) ^ ^ ^x{b) 

which exactly means that 

TZ\= B = B type [x G A]. 
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Suppose now that from mTT® \- B = C type [a; S A] we derive by symmetry 

mTT® \- C = B type [x & A\. 

By inductive hypothesis on validity we have that 

IDi h \lx\/x'{xeJ{A) —>• \/t\/s(t ~i(B) s t ~i(c) s)). 

This clearly entails that 

IDi h \/x\lx'{xeJ{A) —>• \/t\/s{t s t ^i(b) s)) 

which exactly means that TZ \= C = B type [x € A], 

Suppose now that from mTT'* h = C type [a; G A] and mTT® \- C = D type [a; G A] we derive 
by transitivity mTT® h B — D type [x G Al\. By inductive hypothesis on validity we have that 
IDi h \/x'ix'{x£j{A) —> \/t\/s{t ~i(B) s GG t ~i(c) s)) and 

IDi h \lx\/x'{x£j{A) —> \/t\/s{t ~X(C) s GG t ~I(_D) s)). 

And this clearly entails that 

IDi h Mx^x {x£j{A) \/t\/s{t ~I(B) S GG t ~I(_D) s)) 

which exactly means that TZ\= B = D type [a; G A]. 

Substitution for types 

We restrict to the case of one substitution. 

Suppose that mTT'* h £>[ 61 / 2 / 1 , 01 / 2 : 1 ] = £>[ 62 / 1 / 2 , 02 / 2 : 2 ] type [x G A] is derived by sub — T after 
having derived in ruTT'* the judgments 

1. £> tj/pe [a; G A, 2 /G £, 2 : G C], 

2. 61 G £[a: G A], 

3. 62 G £[a: G A], 

4. Cl G C[bi/y][x G A], 

5. C 2 G C[b2/y][x G A], 

6 . 61 = 62 G B[x G A], 

7. Cl = C2 G C[bi/y][x G A], 

8 . Btype[x G A] and 

9. Ctype[x € A, y € B], 

Using the inductive hypothesis on validity and on substitution we can obtain that in J£>i 
yx{x£j{A) I{D)[I{bi)/y,I{ci)/z] = I{D[bi/y,ci/z])), 
yx{x£j{A) ^I{D)[I{b2)/y,Iic2)/z] = £(£>[62/2/, C2/2:])), 

Vx(x£^(A) ->£(C)[£(6i)/2/] =I(C'[6i/2/])). 

These together with the inductive hypothesis on validity for 
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1. Dtype[x € A,y ^ B, z € C], 

2 . bi = b 2 € B[x G A] (which is IDi \-\/x{xeJ{A) I{bi) ~x(b) '^{^ 2 ))), 

3. Cl = C 2 G C[bi/y][x G A] (which is IDi h 'ix{xeJ{A) X(ci) ~i(c[6i/y]) 2i(c2))), 
gives us that in IDi 


\/x{xeJ{A) -^X{D[hi/y,ci/z\) = X{D[b 2 /y, C 2 /z])). 

Reflexivity, symmetry and transitivity of definitional equality 

The rules of reflexivity, symmetry and transitivity for terms preserve the validity with premisses 
provable in mTT'*, thanks to ??. 

Substitution for terms 

Suppose that mTT'* h d[&i/yi, ci/zi] = ^[ 62 / 2 / 2 , 02 / 2 : 2 ] G Z)[&i/j/i, ci/zi] [x G A] is derived by sub 
after having derived in mTT® the judgments d G D[x € A, y G B, z € C], 

Dtype[x G A,y G B,z G C], &i G B[x G A\, &2 G B[x G A], ci G C\bi/y\[x G A], 

C 2 G C[b 2 /y][x G A], 61 = &2 G B[x G A], a = C 2 G C\bi/y\[x G A\, B type [x G A] and C type [x G 
A,y G B] . As in the case of sub — T we derive that in IDi 

\/x{xeJiA)^X{C)[X{b,)/y]=X{C[bi/y])), 

yx(xeJ{A) ^X{D[bi/y,ci/z]) = X{D[b 2 /y,C 2 /z])). 

Now by using the inductive hypothesis on substitution for D and d we obtain that 

\lx{xeJ{A) ^X{D)i^{bi)/y,X{ci)/z\ = X{D[hi/y, ci/z])), 

'ix{x£j{A) ^X{d)[X{bi)/y,X{ci)/z\ ^ X{d[bi/y, ci/z])), 

\/x{xeJ{A) ^X{d)\X{b 2 )/y,X{c 2 )/z\ X{d[h 2 /y,C 2 /z])), 

and using these and the previous together with the inductive hypothesis on validity for d, bi = 62 
and Cl = C 2 , we obtain that 

Vx{x£j{A) -GX{d[bi/y,Ci/z]) ^X{D[W/y,c^/z\) 21 (d[ 62 /j/,C 2 / 2 :])). 

Rules of conversions 

Suppose mTT® G b G C[x G A\ is derived by the rule conv after having derived 
mTT® h i? = C[x G A] and mTT^ h 6 G -B[a; G A]. By inductive hypothesis we have that 

Va;Vx'(a; ~i(^) x' -G X{b) ^x(b) ^{b)W/x]); 

yx{x£j{A) -G X{B) = X{C)). 

From these it immediately follows that 

Mx'ix'ix '^X{A) x' -G X{b) ~X(C) Ab)[x'/x\) 
which means that TZG b G C\x G A,\. 
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Let us now prove substitution for conv. Suppose mTT® \- a & A. Then by inductive hypothesis 
on substitution (using the fact that we know that there are shorter proofs of B type [a; S A\ and 
C type [x G ^]) we have that if xeJ{A) we have that in IDi 

I{b)[I{a)/x\ ~i(B[a/a;]) '^{b[a/x\)-, 

X{B)[X{a)lx\ ~I(B[a/a;]); 

X{C)[X{a)/x] r^X{C[a/x])-, 

and using the inductive hypothesis on validity we obtain that 

X{h)[X{a)/x\ '^i(^c[a/x])I{b[a/x\) 


which is what we needed. 

The rule of conversion immediately follows from the definition of the interpretation of judgments. 

Coding condition 

First of all notice that, for coding, it is sufficient to show that if mTT® h A set, then IDi h Set(^). 
In fact if basic formulas xsj'{—), -'{xsj'{—)), x y and -<{x ~i(-) y) are equivalent respectively 

to xeX(—), X 'f X{—\ X =x(-) V x ^x(-) Vi then (</>)“'" is equivalent to (p and p is equivalent to 
-'(j). So we must suppose that mTT® F A set is derived by formation from other provable judgments 
and then we must prove, using the inductive hypothesis, that IDi h Set(kl). 

The cases Nq, Ni, N, A + yl', List{A), X, AaA',A\/ A', A —>■ A', ld(yl, a, b) are immediate. 

Coding condition for dependent sums and products 

Suppose that we derived (IIx G A)B set or (Ex G A)B set in mTT® by formation after having 
derived A set and B set [x G A] . By inductive hypothesis on coding for A we have that 

(*)TDi h Set(I(l)). 

By inductive hypothesis on coding for B we have also that 

IDi h \/x{xeJ{A) Set(I(i3))) 

and so using classical logic we have that 

IDi F \lx{-^xeJ{A) V Set(X(B))) 

and using the inductive hypothesis on coding for A we have that 

(**) TDi F Vx(x t AA) V Set(I(i?))). 

Now suppose that x ~x(yi) x' , then by inductive hypothesis on validity we can deduce in IDi that 
\/t{teJ{B) GG teJ{B)[x'/x]) A\/t\/s{t ~x(b) s 1 -^x(b)[x'/x] s) 
which is equivalent, by classical logic, to 

yt{{->teJ{B) V teJ'{B)[x'/x]) A AteJ'{B)[x'/x] V teJ{B)))A 
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VtVs((-'i ~I(B) S\/ t ^x(B)[x'/x] s) A {-•t '^i(B)[x’/x\ sV t ~I(B) s)) 
which is equivalent by inductive hypothesis on coding to 

yt{{t^I{B)VteI{B)[x'/x]) A I{B)[x'/x]V tsI{B)))A 


So 


VtVs((t ^X(B) ® ^ ^ —X{B)[x'/x] '®) ^ ^ ^ ^ “1(B) 


IDi h 'ix'ix'{x ^x(A) x' —)■ Vt((t ^2r(i?) V teI{B)[x'/x\) A (t ^I(i3)[a;'/a;] V teX{B)))A 

VtVs((t ^x(B) ® ^ =I(B)[a;7a:] '®) ^ ^I(B)[a;7a;] ^ =I(B) 

By using classical logic and the inductive hypothesis on coding for A, we obtain that 

(jic :)= > 1 =) IDi h VxVx'(a; ^x{A) t ^{B) V teI{B)[x'/x\) A{tf T{B)[x'/x] V teI{B)))A 

^x(B) ® ^ =I(B)77a:] '®) ^ ^I(B)77x] ^ =I(B) 

Combining (*), (**) and (* * *) we obtain that 

IDi h Yaia{Ax.I{B),A) 


from which we deduce that 

IDi h Set{{n^m)B) A Set((Sa^T3)B) 

The cases of V and 3 are similar. 

Consequences of the validity theorem 

We discuss here about the validity in our realizability model for mTT of some principles, namely 
Extensionality Equality of Functions, Axiom of Choice and formal Church Thesis. 

1. Extensionality Equality of Functions can be formulated as a proposition in mTT as 
follows: 


(extFnn) (V/ S (Ida; G A) B) {\/g G (fix G A) B) 

((Vx G A) ld(B, Ap(/,x), Ap(g,x)) ld((nx G A)B,f,g)) 

Since the judgements f = g £ (fix £ A) B and Ap(/, x) = Ap((/,x) G i? [x G A] have the 
same interpretation, extFun can be realized by the term Af.Ag.Ar.O, i. e. our model realises 

extFun. 


2. The Axiom of Choice AC. 4 ,b is represented in mTT by the following proposition: 

(ACa,b) (Vx G A) {3y £ B) p(x, y) -A (3/ G (IIx G A) B) (Vx G A) p(x, Ap(/, x)) 

Unfortunately a realizer r for (Vx G A) (3y G B) p{x,y) cannot be turned into a recursive 
function from J{A) to J{B) respecting equivalence relations ~x(A) and ~x(b)) as the inter¬ 
pretation of propositions is proof-irrelevant and we can have different elements a and a' of 
J7(A) which are equivalent in 1(A) for which 7ri({r}(a)) and 7ri({r}(a')) are not equivalent in 
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I{B). This problem can be avoided if A is a numerical set and in particular in the case of the 
set N. In this case the natural number Ar.(An.7ri({r}(n)), An.7r2({r}(7T,))) is a realizer for the 
axiom of choice ACn^b- So TZ Ih ACn,b for every B. 

Moreover also the axiom of unique choice ACi given by 

(AC,) (Va: e A) (dly e B) p{x, y) ^ (3/ e (Ux € A) B) {\/x G A) pix, Ap(/, x)) 

is validated by the model Tell In fact if p{x, y) is a proposition in context [x G A^y G B\, then 
in particular IDi h \/x\/x'\/y\/t{x ~i(a) x' A yeJ{B) A t Ih p{x,y) — t Ih p{x',y)). This 
implies that we can easily choose a realizer for the axiom of unique choice. 


3. If is a formula of first-order arithmetic HA, then we can define a proposition ip in mTT, 
according to the following conditions: 

T is T A v?' is ^ A (/?' 3a: is (3a: G N)p 

t = s is Id {N, t,s) pW p' is pV p' Va: p is (Va: G N)p 

p ^ p' is p ^ p' 

where t and s are the translations of terms of HA in mTT (in particular primitive recursive 
functions of HA are translated via Eliq, succ and 0 are translated in the obvious corresponding 
ones and variables are interpreted as themselve^^l) . The language of HA can also be naturally 
interpreted in IDi by using the fact that each primitive recursive function can be encoded by 
a numeral. If t is a term of HA we will still write t for its translation in IDi. The following 
lemma is an immediate consequence of the definition of our realizability interpretation where 
Ihfe denotes Kleene realizability in HA (see |21)i: 


Lemma 3.1. If t is a term of HA and p is a formula of HA, then 

(a) IDi h T(t) = t 

(b) IDi h n Ihfc p n \\- p. 


The formal Church Thesis CT can be expressed in mTT as the following proposition 

(CT) (Vx G N) {3y G N) p{x, y) -G (3e G N) (Vx G N) (3m G N) {T{e,x,u) A p{x, U{^) 

where T and U are the Kleene predicate and the primitive recursive function representing 
Kleene application in HA. Note that the validity of CT can be obtained by glueing ACn,n 
together with the following restricted form of Church Thesis for type-theoretic functions: 

(CTa) (V/ G (Hx G N)N) (3e G N) (Vx G N) (3m g N) (T(e, x, u) A ld(A, Ap(/, x),U{^)) 

We know by general results on Kleene realizability that there exists a numeral r for which 
HA h 3uT{f,x,u) —7- ({r}(/,x) Ih 3mT(/,x,m)). Using this remark, the fact that {/}(x) 4- is 

®(3!a; S A)P{x) is defined as (3a; g A)P{x) A (Vx G T)(Vx' G A){P{x) A P(x') —> ld(A, x,x')). 

^®Here we suppose that variables of HA coincides with variables of the untyped syntax of mTT®. 
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equivalent to 3uT{f, x, u) in IDi, the proof irrelevance and lemma [XT] we can show that CTa 
can be realized by 

A/.(/, Aa;.({pi}({r}(/, x), ({p 2 }({r}(/, x), 0))). 

In fact every function from to A^ is interpreted in the model as a code for a total recursive 
function and we can send this code to itself in order to realize Church Thesis. Proof irrelevance 
allows to ignore the problem that different codes can give rise to extensionally equal functions, 
which is crucial to prove validity of CT. 

We can conclude this section by stating the following consistency results: 


Theorem 3.2. mTT is consistent with CT. 

Corollary 3.1. emTT is consistent with CT. 

Proof. According to the interpretation of emTT in mTT in m, the interpretation of CT 
turns now to be equivalent to CT itself. Therefore a model showing consistency of mTT with 
CT can be extended to a model of emTT with CT. □ 


4 Conclusions 

As explained in the introduction, the semantics built here is the best Kleene realizability model we 
can construct for the extensional level emTT of the Minimalist Foundation, since emTT validates 
Extensionality Equality of Functions and it is constructively incompatible with the Axiom of Choice 
on generic sets (see [lO]), which is instead valid in Beeson’s model. In our semantics instances of 
the axiom of choice are still valid only on numerical sets, which include the interpretation of basic 
intensional types as the set of natural numbers. 

On the contrary, for the intensional level mTT of the Minimalist Foundation we hope to build 
a more intensional realizability semantics a la Kleene where we validate not only CT but also the 
Axiom of Choice AC on generic types. Recalling from [1^ that our mTT can be naturally in¬ 
terpreted in Martin-Lof’s type theory with one universe, such an intensional Kleene realizability 
for mTT could be obtained by modelling intensional Martin-Lof’s type theory with one universe 
(with explicit substitutions in place of the usual substitution term equality rules) together with CT. 
However, as far as we know, the consistency of intensional Martin-Ldf’s type theory with CT is still 
an open problem. 
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5 Appendix: The typed calculus niTT 

We present here the inference rules to build types in mTT. The inference rules involve judgements 
written in the style of Martin-Ldf’s type theory [imiH] that may be of the form: 


A type [r] A = B type [F] a € A [F] a = b € A [F] 
where types include collections, sets, propositions and small propositions, namely 

type € {col, set, prop, propa } 


For easiness, the piece of context common to all judgements involved in a rule is omitted and 
typed variables appearing in a context are meant to be added to the implicit context as the last one. 
Note that to write the elimination constructors of our types we adopt the higher-order syntax in 

mB 

We also have a form of judgement to build contexts: 

F cont 


whose rules are the following 

0 cont 




r,x € A cont 

Then, the first rule to build elements of type is the assumption of variables: 

F, a; £ A, A cont 

var) -—:—TT- 

^ X € A [F, a: € A, A] 

Among types there are the following embeddings: sets are collections and propositions are collections 


set-into-col) 


A set 


prop-into-col) 


A prop 


A col ^ ^ 'A col 

Moreover, collections are closed under strong indexed sums: 


Strong Indexed Sum 

C(x) col [x e B] ^ b€B c £ C{b) C{x) col [x £ B] 

T,a;eBC{x) col {b,c) £ Ej;gsC'(x) 

M{z) col [z £ Ej;6sC'(x)] 

d £ Ej,6sC'(x) m{x,y) £ M{{x,y)) [x £ B,y £ C{x)] 

ElT.[d,m) £ M{d) 

M{z) col [z £ Ej,gsC'(x)] 

b£B c£C{b) m{x,y) £ M{{x,y)) [x £ B,y £ C{x)\ 

EI-e{ {b,c),m) = m(b,c) £ M{{b,c)) 

^'^For example, note that the elimination constructor of disjunction Ely{w,aB,o,c) binds the open terms aB(x) £ 
A [x £ B] and ac{y) £ A [y £ C\. Indeed, given that they are needed in the disjunction conversion rules, it follows 
that these open terms must be encoded into the elimination constructor. To encode them we use the higher-order 
syntax as in m (see also 0). According to this syntax the open term aB{x) £ A [x £ B] yields to (x £ B) aB{x) 
of higher type (x £ B) A. Then, by jj-conversion among higher types, it follows that {x £ B)aB{x) is equal to ag. 
Hence, we often simply write the short expression cb to recall the open term where it comes from. 


F-E) 


E-E) 


C-E) 
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Sets are generated as follows: 


Empty set 

F-Em) No.et E-Em) «^ Np A{x) coI [x gNo] 

empo(a) G A{a) 


Singleton 

S) Ni set I-S) * G Ni 


E-S) 


t G Ni 


M{z) col [z G Ni] c G M(*) 
E/imj (t, c) G M(t) 


^ M(z) col [z G Ni] c G M(*) 
E1 mj(*,c) = c G M(*) 


Strong Indexed Sum set 

, C{x) set [a; G -B] B set 
J^xeBC{x) set 


List set 


F-list) 


C set 

List{C) set 


Ii-list) 


ListiC) set 
t G List{C) 


l 2 -list) 


s G List{C) c £ C 
cons(s,c) G List{C) 


L{z) col [z G List{C)] s G List{C) a G L{e) 

p . Kx, y, z) G L(cons(a;, y)) [x G ListiC), y £C,z£ L(x)] 
ElListis,a,l) £ Lis) 


Ci-list) 


Liz) col [z G ListiC)] a G Lie) 

lix,y,z) G I/(cons(a;,t/)) [x G ListiC),y £C,z £ Lix)] 
El List ie,a,l) = a £ Lie) 


Liz) col [z G ListiC)] s G ListiC) c £ C a £ Lie) 

^ ^ lix,y,z) G L(cons(a:, 2 /)) [x G ListiC),y £C,z £ Lix)] 

ElListiconsis,c),a,l) = lis, c, Elnstis, a,l)) £ Z/(cons(s,c)) 


Disjoint Sum set 


F-+) 


B set C set 
B + C set 


Ii-+) 


b £ B B set C set 
inl(fe) £B + C 


I2-+) 


c £ C B set C set 
inr(c) G -B -I- C 


E-t) 


Aiz) col [z£B + C] 

w £ B -\- C asix) £ ^(inl(a;)) [x £ B] aciy) G d(inr( 2 /)) [y G C] 
El+iw,aB,ac) £ d(w) 


Ci-h) 


Aiz) col [z£B + C] 

b £ B ttBix) £ yl(inl(®)) [x £ B] aciy) ^ Iv € C”] 

BZ+(inl(6),as,ac) = as(6) G d(inl(c)) 


C2—h) 


Aiz) col [z£B + C] 

c£ C UBix) £ yl(inl(a;)) ]x £ B] aciy) € -4(inr(j/)) [y £ C] 
BZ+(inr(c), aB,ac) = ac(c) G yl(inr(c)) 
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Dependent Prodnct set 

, C{x) set [x £ B] B set , c{x) € C{x) [x € B] C(x) set [x £ B] B set 

\Ixi^bC(x) set \x^.c{x) G TIx^bC{x) 

h€B f€li^^BC{x) 

’ Ap{f,b)eC{b) 

RC TT'I ^ ^ B c{x) G C{x) [x G B] C{x) set [a; G B] B set 
Ap(Ax®.c(a;), 6) = c(b) G C(b) 


Propositions are generated as follows: 


Falsum 

F-Fs) _L prop 


aG± </,prop 
To (a) G 0 


Disjnnction 


F-V) 


^|) prop a prop . b a ip ip prop a prop , c G a ip prop a prop 


Ip V a prop 


inlv(&) £ ipy a 


inrv(c) £ipVa 


E-V) 


Ci-V) 


C 2 -V) 


(p prop 

w £ip\/ a a^{x) € (p [x Gip] ady) £ (p [y € a] 
Elv{w, a^, Oa) £ (p 

(p prop Ip prop a prop 

b £ Ip a^{x) £ (p [x £ Ip] ady) £ (p \y £ a] y 
BZv(inlv(&),a^,aa) = a^{b) £ (p 

(p prop Ip prop a prop 
c £ a a^(x) £ (p[x £ip] ady) £ (p [y £ a] 
Els/{\r\rv{c),a^,aa) = adc) £ (p 


Conjunction 

Ip prop 


F-A) 
Ei-A) 
Pi C-A) 


a prop 


Ip A a prop 

d £ Ip Aa 
Tvf (d) £ Ip 

b £ Ip c £ a 


I-A) 

E 2 -A) 


b £ Ip c £ a Ip prop a prop 


(6,A c) £ Ip Aa 
d £ Ip A a 


TTj (d) G a 
Ip prop a prop 


7rf({6,Ac)) = b£ip 


P2 C-A) 


b £ Ip c £ a Ip prop 


a prop 


'^ 2 {{b,A c}) = c£ a 
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Implication 

ip prop a prop 


F-^) 

I-^) 

/?C-^ 


tp ^ a prop 

c{x) € a [x € V’] 4’ prop a prop 

.c{x) € ‘ip a 


E- 


b £ Ip f £ Ip ^ a 
Ap^(/,fe) G a 


b £ Ip c(x) £ a[x £ p}] Ip prop a prop 


Ap^(A->a;’^.c(a;), b) = c{b) £ a 

Existential quantification 

F-3) 


a{x) prop [x £ %p] j. b £ B c £ a(b) a(x) prop [x G B] 


3x(zBa[x) prop 


{b,3 c) £ 3^(zBa[x) 


E-3) 


C-3) 


(p prop 

d £ 3x,zBa{x) m{x, y) £ ip [x £ B,y £ a{x)] 
El3{d, ra) £ 4> 

(p prop a{x) prop [x G B] 
b £ B c £ a{b) m{x, y) £ (p [x £ B,y £ a{x)] 


El3{{b,3 c), m) — m{b, c) £ M 

Universal quantification 

a{x) prop [x £ B] 


E-V) 

E-V) 


VxeBa(a;) prop 
b £ B f £ Vj;Gsa(a:) 


Apv(/,&) e a{b) 

Propositional Equality 

A col a £ A b £ A 


I-V) 

/3C-V) 


c{x) £ a{x) [x G B] a{x) prop [x G B] 

X\/x^.c{x) £ Vj:GBa(a:) 

b £ B c(x) £ a(x) [x G B] a{x) prop [x G B] 
Apy(Ava:^-c(®), 6) = c(6) G 0(6) 


E-Id) 


E-Id) 


C-Id) 


ld(yl, a, b) prop 


I-Id) 7 


a£ A 


idA(a) G ld(yl, a, a) 


a{x,y) prop [x ■. A,y £ A\ 

a£A b£A pGld(Al,a, 6) c{x) £ a{x,x) [x £ A\ 
EUi{p, {x)c{x)) £ a(a, b) 

a(x, y) prop [x ■. A^y £ A\ 
a £ A c(x) G a(x, x) [x £ A\ 

EZ|d(idyi(a), (x)c(x)) = c(a) G a(a,a) 


Then, we also have the collection of small propositions: 

Collection of small propositions 
E-Pr) props col 


The collection of small propositions containes codes of small propositions 
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T-Pr) 


P e props 
T{p) props 


which are generated as follows: 

p e props q e props 


Pn) ± e props Pr2) 


pVq € props 


Prs) 


p e props q e props 
p^q e props 


Pr4) 


p G props q G props 


Pjx) props [x£B] B set 


Prr) 


3 a:eBPix) G props 
A set a € A b £ A 
ld(^, a, b) G props 


pAq G props 

p{x) G props [x £ B] B set 
yxeBPix) £ props 


with the following definitional equalities: 

p £ props q £ props 


eq-Pri) T(±) = _L eq-Pr 2 ) 


T{pyq) =T{p)V T{q) 


eq-Prs) 


p £ props q £ props 
T{p-=^q) = T{p) ^ T{q) 


eq-Pr4) 


p £ props q £ props 


. p{x) props [x £ B] B set . 

eq-Prs) J - - - eq-Pre) 


T{pAq) = T(p) A T{q) 

p{x) £ props [x £ B] B set 


eq-Prr) 


T(3s:gsp(a:)) = 3xeB T(p{x)) 
A set a £ A b £ A 
T{\d{A,a,b)) = \d{A,a,b) 


T{\/a:€Bp{x)) = 'i^^BT{p{x)) 


Then, we also have function collections from a set toward the collection of small propositions: 

Function collection to props 

B set 


F-Fun) 


B props col 


I Fun) ^ Pi'oPs [x £ B] B set 


E-Fun) dC-Fun) 

^ Ap(/,fe) G props ^ 


Xx .c{x) G -B —>■ props 

b £ B c{x) £ props [a; G -B] B set 
Ap{Xx^.c{x),b) = c{b) £ props 


And we add rules saying that a small proposition is a proposition and that a small proposition is a set: 


props-into-prop) 


(j) props 
(j) prop 


props-into-set) 


4> props 
4> set 


Equality rules include those saying that type equality is an equivalence relation and substitution of 
equal terms in a type: 


ref) 


A type 
A = A type 


sym) 


A = B type 
B = A type 


tra) 


A = B type B = C type 
A — C type 
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subT) 


C{xi, . . . ,X„) type [xi £ A-i_, . . . , Xn £ An{xi, . . . , Xn-\) ] 
ai = bi £ Ai ... an = bn £ Aniai,..., a„_i) 

C(ai,..., a„) = C{bi, type 

where type £ {col, set,prop,props } with the same choice both in the premise and in the conclusion. 
For terms into sets we add the following equality rules: 


ref) 


a £ A 
a = a £ A 


sym) 


a — b £ A 
b = a £ A 


tra) 


a — b £ A b = c £ A 
a = c £ A 


sub) 


C(X1, . . . ,X„) £ C(X1, . . . ,X„) [Xl £ Al, . . . , X„ £ A„(X1, . . . , Xn-l) 1 
ai — bl £ Al ... On = bn £ An(ai, . . . , On—l) 

c(ai,... ,a„) = c(bi,... ,b„) £ C(ai,... ,a„) 


conv) 


a £ A A = B type 
a £ B 


conv-eq) 


a — b £ A A = B type 
a — b £ B 


Now the equality rules about collections are the following: 


Strong Indexed Sum-eq 


Dependent Product-eq 


eq-S) 


C{x) — D{x) col [x £ B\ B = E col 
^x(^bC{x{ — Ex(£eD{x{ col 


C{x) — D{x) col [x £ B\ B = E col 
IIx(^bC{x) = YIx(^eD{x) col 


Then, the equality about sets are the following: 


Lists-eq 


eq-list) 


C = D set 


List{C) = List{D) set 


Disjoint Sum-eq 

B = E set C — D set 


eq-+) 


B + C = E + D set 


Strong Indexed Sum-eq 

C(x) — D{x) set [x £ B] 


eq-S) 


B = E set 


Ex^bCI{x{ — Ex(^eD{x{ set 

Dependent Product-eq 

C{x) — D(x) set [x £ B] B = E set 


eq-n 


IIx^bC{x) = IIx^eD{x) set 


Then, mTT includes the following equalities rules about propositions: 


Disjunction-eq 

ip = a prop (j> = P prop 


eq-V) 


Implication-eq 

ip = a prop (p = P prop 


ipy (p = aW p prop 


eq- 


■tp ^ (p = a ^ P prop 
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Conjunction-eq 


Propositional equality-eq 


eq-A) 


Ip = a prop 0 = /3 prop 
tp A 4> = a A /3 prop 


eq-Id) 


A = E col a = e G A b = c G A 
ld(^, a, b) — ld(i?, e, c) prop 


Existential quantification-eq 

, a{x) = l3{x) prop {x G B] B = E prop 
3^gBa(®) = 3a:>^Ep{x) prop 


Universal quantification-eq 

g y <^{x) = P{x) prop [x G B] B = E prop 
Va;gsa(x) = 'ia:eEP{x) prop 


The equality of propositions is that of collections, that of small propositions coincides with that of 
props and is that of propositions and that of sets: 


prop-into-col eq 


(p = Ip prop 
(p = Ip col 


props eql 


(p = Ip props 
(p = Ip G props 


props eq2 


(p = 'tp G props 
(p = Ip props 


(p = 'ip props 

props-into-prop eq —-;- 

(p = yi prop 


props-into-set eq 


(p = Ip props 
(p = Ip set 
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